Dear Governor Kitzhaber,

Please take a stand against the ongoing deterioration of our constitutionally guaranteed Liberties. We need to defeat the Patriot Act, additional Executive War Powers and the Federal moves to undermine our rights. These rights are not negotiable. The greatest minds of history were heard from in the construction of our founding documents. They are great works of rational humanity. The voices of people honoring secular and sacred traditions were instrumental in the thought that preceded the documents themselves.

We need your voice to add significance in defense of our future. The TSA is growing out of control and has become an epidemic in our society. The ongoing mistreatment of innocent civilians at the airport coupled with expansive powers which erode our 10th, 6th, 5th, 1st and 4th amendments.

History predicts the precipice which we now stand upon. Men of great courage now will be remembered in the future, even if their popularity wanes at present. Please take a stand for the future of our country, for generations which are unseen at present. Please act with intelligence, passion and strength. Don't leave the care of our Constitutional rights to those bent on destruction, paranoia or tyranny.

Sincerely, Joshua Schmidlkofer

Dear ,

Please stand against the Patriot Act, let it expire. Please stand against granting new/additional or ongoing war powers to the Executive Branch of Government. Some of the foundations for our Bill of Rights are already being breached by the TSA. We are losing our liberty for nothing.

This is the future of our entire civilization. Please have the courage to stand against tyranny. Stop the Patriot Act. Stop the TSA. This is an embarrassment to all that we are. Please don't steal from the future of America by fearing the Liberty which so many have bled to ensure and protect.

Take sane and rational action. Please band together with other legislators in their efforts to uphold The Constitution of our Republic and hold the Office of President accountable for the sworn oath of office to uphold our core beliefs.

Sincerely, Joshua Schmidlkofer

Practical Troubleshooting

I love pfSense. So far it's superior to every Linux-based routing appliance. No product is perfect, but the 2.0 release is very promising. I have been troubleshooting tunnels which inexplicably do not work. I have been recieving the following error during phase1 connection:

racoon: ERROR: couldn't find configuration

This usually means a significant mismatch exists in phase1 negotiations. Despite my meticulous efforts the tunnels would not start. I watched the IPsec logs hopelessly, trying many different things. What finally worked was connecting to the console, killing racoon and starting it manually as follows:

racoon -d -v -F -f /var/etc/racoon.conf

By monitoring the output, I discovered during debugging that the packets were coming from the wrong source IP address. One of my sites has multiple WAN links, and racoon was using the wrong source address for IPsec negotiation. The phase1 arrival was clearly logged and rejected - because it didn't match any existing configuration.

Once complete, I was quickly able to determine what to do. However, if you don't have access to a host behind the pfSense firewall then you may have problems creating IPsec tunnels. I used this to force a packet:

My firewall's LAN address, which is part of the IPsec local subnet scope, is 192.168.0.1. The remote network is 10.1.1.0/24. I need to create a single packet from 192.168.0.1 to something in 10.1.1.x.

ping -S 192.168.0.1 -c 1 10.1.1.3

What could be better.

Feedback for improvement would begin with one admonition: Don't trust the log output of Racoon. I should have used TCP-dump on both ends, watching for packets setting up sessions.

[2.0-RC1][root@gateway.site-a.com]/root(1): tcpdump -ni re0 port 500
16:39:07.697695 IP 192.168.81.126.500 > 10.1.101.217.500: isakmp: phase 2/others I inf[E]
16:40:26.980944 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:36.982740 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:46.983927 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:56.985122 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:41:06.986307 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg

Had I done this at both ends, I would have clearly seen that the wrong interface was emitting packets. Both ends. That was my mistake. I trusted logs at Site-A, and I never verified my problem at Site-B. Hours of painstaking troubleshooting for no good reason.

Work Around

My current imperfect workaround is to add the following line to each of my remote sites crontab:

cat crontab|grep newsys






root    /sbin/ping -S 192.168.0.1 -c 10.1.1.1

Obviously I turfed this above, I just thought I would share it with everyone. This has the net effect of a 60 second tunnel keep alive. May not be appropriate for some environments. Good luck.