@stevetoza Off-Topic but here goes. We've experienced all sorts of things with the Cisco RV325 series. Stability however isn’t one of them when running several heavy traffic IPSec tunnels. We swapped out our RV320/325's for virtual pfSense appliances. After a lengthy support thread with a very helpful Cisco support guy they swapped all our units for the new RV340 which is a significantly better hardware platform but since we've been bitten quite a few times by RV320's just going dark on us we now use them as expensive switches. SNMP showed that each time they went offline it was because of pure memory starvation. An RV325 unit with 5 IPSec tunnels and a bunch of local attached stuff would keep running for max 2-3 weeks and then would slowly die, first the web-console would stop responding (and it's already painstakingly slow) and a few hours later all the IPSec tunnels would become unresponsive. There's no automation for these boxes and we don't have managed PDU's so instead of driving to the site location to switch them literally off & back on I rolled some selenium GUI manipulation to power-cycle them every week like that. Seriously. Also had to power cycle twice because sometimes the first reboot wouldn't bring up the IPSec tunnels and when that happened they would never become active, only a secondary reboot would fix that. Seeing your print screen of the web-console throws me back to a lonely, dark and painful place ;)

That's it! Thank you so much!

Your going to have to give us a bit more to go on vs just saying you have setup l2tp/ipsec.. https://www.netgate.com/docs/pfsense/book/l2tp/l2tp-with-ipsec.html What client are you using?

Hi I've done such a setup with two PFSenses. each has a seperate WAN Provider. The other site is a single HA Vmware NSX Edge Firewall. I made a scripts which checks the WAN Connection. If the internet fails, the script will switches to the backup PFSense and start there the VPN Tunnel. There is nothing much you can do else. I'm also waiting for VTI Tunnel Support on 2.4.4

Ahh.. Got it. But I have 7 interfaces LAN I have to apply this to, not just one. In the pfSense website, I found Bug 5826 that describes the problem I'm having. https://redmine.pfsense.org/issues/5826 . I'll do some research to see if I get into the strongSwan config if I might be able to do this for multiple interfaces manually. Thanks again for the help. I never noticed the Auto-exclude LAN address feature in IPSec.

I have sort of bypassed my problem by downgrading my mikrotik routeros version, but of course that opens me up to possible exploits with may have been fixed since. I have not considered that client connecting/disconnecting could be causing this though, so I will careful note what happens next time I have a disconnect.

Hello I've 50 phase 1 and 150 phase 2 on my pfsense server (hp G8). CPU Type Intel(R) Xeon(R) CPU E5-2643 0 @ 3.30GHz 8 CPUs: 2 package(s) x 4 core(s) AES-NI CPU Crypto: Yes (active) Hardware crypto AES-CBC,AES-XTS,AES-GCM,AES-ICM The last tunnel I created is causing trouble. Phases 1 and 2 UP from time to time and when they are UP, I have no traffic passed. I tested this vpn on a virtual machine pfsense and everything is OK. I wonder if I'm reaching a tunnel limit. If yes, how to properly modify the ikesa_table_size value to 1024 so that it is taken into account in case of reboot / upgrade? Thank you for your help.

Since CERT has now also made the details of this issue public, I made our Redmine issue for it public: https://redmine.pfsense.org/issues/8667

I have removed the check for Disable rekey. Should I be setting a margintime? I am using distinquished name for the identifiers as that is what I have commonly used in similar setups. While the error continues to point to a PSK mismatch, the keys match, I have copied the key from one configuration page to the other. Here are some more logs following the changes Aug 16 08:56:31 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 3744141107 processing failed Aug 16 08:56:31 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:31 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:31 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:31 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:31 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:30 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:30 charon 12[IKE] <con1000|2> sending retransmit 2 of request message ID 0, seq 3 Aug 16 08:56:23 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 468255107 processing failed Aug 16 08:56:23 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:23 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:23 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:23 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:23 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:23 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:23 charon 12[IKE] <con1000|2> sending retransmit 1 of request message ID 0, seq 3 Aug 16 08:56:19 charon 10[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 2140660544 processing failed Aug 16 08:56:19 charon 10[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:19 charon 10[IKE] <con1000|2> message parsing failed Aug 16 08:56:19 charon 10[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:19 charon 10[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> local host is behind NAT, sending keep alives Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (396 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (396 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> received NAT-T (RFC 3947) vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received FRAGMENTATION vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received DPD vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received XAuth vendor ID Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ SA V V V V ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (160 bytes) Aug 16 08:56:18 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (180 bytes) Aug 16 08:56:18 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ SA V V V V V ] Aug 16 08:56:18 charon 10[IKE] <con1000|2> initiating Main Mode IKE_SA con1000[2] to 50.X.X.149 Aug 16 08:56:18 charon 12[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:52:53 charon 12[IKE] <con1000|1> establishing IKE_SA failed, peer not responding Aug 16 08:52:53 charon 12[IKE] <con1000|1> giving up after 5 retransmits Aug 16 08:52:06 charon 07[CFG] ignoring acquire, connection attempt pending Aug 16 08:52:06 charon 05[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:41 charon 16[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:40 ipsec_starter 62014 'con1000' routed Aug 16 08:51:40 charon 14[CFG] received stroke: route 'con1000' Aug 16 08:51:40 charon 16[CFG] added configuration 'con1000' Aug 16 08:51:40 charon 16[CFG] received stroke: add connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 'bypasslan' shunt PASS policy installed Aug 16 08:51:40 charon 13[CFG] received stroke: route 'bypasslan' Aug 16 08:51:40 charon 14[CFG] added configuration 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: add connection 'bypasslan' Aug 16 08:51:40 charon 15[CFG] deleted connection 'con1000' Aug 16 08:51:40 charon 15[CFG] received stroke: delete connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 configuration 'con1000' unrouted Aug 16 08:51:40 charon 13[CFG] received stroke: unroute 'con1000' Aug 16 08:51:40 charon 14[CFG] deleted connection 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: delete connection 'bypasslan' Aug 16 08:51:40 ipsec_starter 62014 shunt policy 'bypasslan' uninstalled Aug 16 08:51:40 charon 15[CFG] received stroke: unroute 'bypasslan' Aug 16 08:51:40 charon 13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Aug 16 08:51:40 charon 13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Aug 16 08:51:40 charon 13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Aug 16 08:51:40 charon 13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Aug 16 08:51:40 charon 13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Aug 16 08:51:40 charon 13[CFG] loaded IKE secret for %any @sitea.sitea-to-siteb Aug 16 08:51:40 charon 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Aug 16 08:51:40 charon 13[CFG] rereading secrets Aug 16 08:51:37 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:51:37 charon 08[IKE] <con1000|1> sending retransmit 5 of request message ID 0, seq 3 Aug 16 08:50:55 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:55 charon 08[IKE] <con1000|1> sending retransmit 4 of request message ID 0, seq 3 Aug 16 08:50:32 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2027756021 processing failed Aug 16 08:50:32 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:32 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:32 charon 08[ENC] <con1000|1> could not decrypt payloads Aug 16 08:50:32 charon 08[ENC] <con1000|1> invalid HASH_V1 payload length, decryption failed? Aug 16 08:50:32 charon 08[NET] <con1000|1> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:50:32 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:32 charon 08[IKE] <con1000|1> sending retransmit 3 of request message ID 0, seq 3 Aug 16 08:50:19 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2405277567 processing failed Aug 16 08:50:19 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:19 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:19 charon 08[ENC] <con1000|1> could not decrypt payloads

You are going to have to do what you need to do on those upstream devices to make it work, it sounds like. If they can do some sort of PPPoE pass through so pfSense itself is the PPPoE client you will probably be happier. If not, the first thing I would check is that IPsec on both sides is set to use the public IP address as the identifier. If you just set My IP Address as My Identifier on the left side and connect to 124.107.X.X, and they are configured to expect 180.190.y.y as the identifier, it won't work. If you configure the left side to be My Identifier: IP Address: 180.190.y.y it might work. If those PPPoE addresses are not static (you get the same assignment every time), but dynamic (they change), you will probably have to move to setting the IDs on both sides to a distinguished name set to a dynamic DNS name that change with the PPPoE address. PPPoE pass through on the ISP devices is probably the easiest thing.

It works now - either from updating pfSense to 2.4.x or ensuring that both P1 and P2 are enabled (I thought they were to begin with).

Is secondary peer supported on the PFSense? How does the PFSense react on two tunnels with the same phase 2 entires - while one of them is disabled and the other one is active? What would be a best practice and/or recommendation to run IPSec redundancy? Is route based VPN supported on the device? If so, any particular notes on NATs/Rules? 1- No. You can use a dynamic hostname, but that's another discussion. 2- Not sure what your issue is, I have used disabled tunnels at several sites. Just disable the primary on both sites, clear any active sessions, and enable the secondary on both sides. 3- Skipping this, it varies based on situation. 4- See the release notes for the upcoming 2.4.4 release for routed IPSec.

Changed the client's metric. Ethernet > VPN.

So turns out that the SITE1 IP address changed last night. Even though I'm using Dynamic DNS on both ends and both ends recognized the change, the tunnel would not reconnect until a reboot which has now fixed the issue. Weird one.

You need to add Phase 2 entries to your existing tunnels to carry that traffic. On the tunnel from 1-2: Phase 2 for 1-2 Phase 2 for 3-2 On the tunnel from 1-3: Phase 2 for 1-3 Phase 2 for 2-3 And then on the other end of each tunnel, reverse the local/remote as usual. Make sure all of those are allowed in firewall rules as well.

Is this already fixed? I think we are having same issue. How did you fixed it?