Bingo! That did the trick. Thank you :)

Figured it out! It was a mixup on the ip's configured in the Phase 2 network settings, when using the BiNat feature.

@nogbadthebad said in IPSEC VPN between 2 sites has constant ~20k traffic. How best to find out what it is?: Have you tried a packet capture ? I didn't realize pfSense had a packet capture. Thanks for suggesting it. Now the results. I ran a quick capture on ipsec and then found the busy ip address. A quick look at the lease assignments showed me it was my Uniden Police Scanner wifi dongle. Then it hit me. I run Proscan scanner software from my office that points to my Uniden scanner to capture fire calls in my town (using the "fire tone out" feature), and then email them to me so I can hear them on my phone. I totally forgot that I had that communication running all the time, but the packet capture quickly pointed it out. Problem solved. Thanks for the tip. Roveer

@dkase279 mine prevents the tunnel from working as client machines can not ping through to my main site via the VPN. I'm going to log a call with Netgate if possible as it's preventing service. I also might put logs on here once it happens again.

Hi , Thanks for you response. First of all please accept my apologies for my appalling grammar and spelling in my original post. My brain must have been frazzled. I have sorted it by using a different browser (chrome) why i didn't try this initially i have no idea. Thanks Danny

You have two choices: Create a P2 entry for every combination of your local subnet and remote subnets. Summarize the remote subnets into a larger network if they are closer together.

Yes, Cisco just asked for that. We are going to do a packet capture on both ends.

Here's the results: --- Started update --- Updating repositories metadata... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... done. pfSense repository is up to date. All repositories are up to date. 2.4.3_1 version of pfSense is available Downloading upgrade packages... Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (9 candidates): ......... done Processing candidates (9 candidates): ......... done The following 8 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: sqlite3: 3.21.0_1 -> 3.22.0_1 [pfSense] pfSense-rc: 2.4.3 -> 2.4.3_1 [pfSense-core] pfSense-kernel-pfSense: 2.4.3 -> 2.4.3_1 [pfSense-core] pfSense-default-config: 2.4.3 -> 2.4.3_1 [pfSense-core] pfSense-base: 2.4.3 -> 2.4.3_1 [pfSense-core] pfSense: 2.4.3 -> 2.4.3_1 [pfSense] perl5: 5.24.3 -> 5.24.4 [pfSense] libnghttp2: 1.29.0 -> 1.31.1 [pfSense] Number of packages to be upgraded: 8 67 MiB to be downloaded. [1/8] Fetching sqlite3-3.22.0_1.txz: .......... done [2/8] Fetching pfSense-rc-2.4.3_1.txz: .. done [3/8] Fetching pfSense-kernel-pfSense-2.4.3_1.txz: .......... done [4/8] Fetching pfSense-default-config-2.4.3_1.txz: . Done System update failed! --- Update ended with errors --- System rebooted and shows: Version 2.4.3-RELEASE-p1 (amd64) built on Thu May 10 15:02:52 CDT 2018 FreeBSD 11.1-RELEASE-p10 IPSec status shows connected ... Failing update have been reported by several users, so not new Can't reproduce after freshly installing for a second time -- please note the previous installation was fresh and config restored as well. I'm closing this as can't reproduce -- please let me know if is there anything else I can test for you guys.

NB I use FreeRadius for auth. 1.2.3.4 = WAN Jul 16 12:04:32 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (60 bytes) Jul 16 12:04:32 charon 14[ENC] <con1|23> generating INFORMATIONAL response 7 [ ] Jul 16 12:04:32 charon 14[CFG] <con1|23> received RADIUS Accounting-Response from server 'local_radius_database' Jul 16 12:04:32 charon 14[CFG] <con1|23> sending RADIUS Accounting-Request to server 'local_radius_database' Jul 16 12:04:32 charon 14[IKE] <con1|23> IKE_SA deleted Jul 16 12:04:32 charon 14[IKE] <con1|23> deleting IKE_SA con1[23] between 1.2.3.4[vpn.blahblahblan.net]...82.132.224.191[10.8.7.115] Jul 16 12:04:32 charon 14[IKE] <con1|23> received DELETE for IKE_SA con1[23] Jul 16 12:04:32 charon 14[ENC] <con1|23> parsed INFORMATIONAL request 7 [ D ] Jul 16 12:04:32 charon 14[NET] <con1|23> received packet: from 82.132.224.191[34706] to 1.2.3.4[4500] (68 bytes) Jul 16 12:04:18 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (436 bytes) Jul 16 12:04:18 charon 14[ENC] <con1|23> generating IKE_AUTH response 6 [ AUTH CPRP(ADDR DNS SUBNET U_DEFDOM U_SPLITDNS MASK) N(ESP_TFC_PAD_N) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ] Jul 16 12:04:18 charon 14[CFG] <con1|23> received RADIUS Accounting-Response from server 'local_radius_database' Jul 16 12:04:18 charon 14[CFG] <con1|23> sending RADIUS Accounting-Request to server 'local_radius_database' Jul 16 12:04:18 charon 14[IKE] <con1|23> CHILD_SA con1{6} established with SPIs cfb91246_i 07260c80_o and TS 0.0.0.0/0|/0 === 172.16.8.3/32|/0 Jul 16 12:04:18 charon 14[IKE] <con1|23> no virtual IP found for %any6 requested by 'iphone' Jul 16 12:04:18 charon 14[IKE] <con1|23> peer requested virtual IP %any6 Jul 16 12:04:18 charon 14[IKE] <con1|23> assigning virtual IP 172.16.8.3 to peer 'iphone' Jul 16 12:04:18 charon 14[IKE] <con1|23> peer requested virtual IP %any Jul 16 12:04:18 charon 14[IKE] <con1|23> maximum IKE_SA lifetime 28407s Jul 16 12:04:18 charon 14[IKE] <con1|23> scheduling reauthentication in 27867s Jul 16 12:04:18 charon 14[IKE] <con1|23> IKE_SA con1[23] established between 1.2.3.4[vpn.blahblahblan.net]...82.132.224.191[10.8.7.115] Jul 16 12:04:18 charon 14[IKE] <con1|23> authentication of 'vpn.blahblahblan.net' (myself) with EAP Jul 16 12:04:18 charon 14[IKE] <con1|23> authentication of '10.8.7.115' with EAP successful Jul 16 12:04:18 charon 14[ENC] <con1|23> parsed IKE_AUTH request 6 [ AUTH ] Jul 16 12:04:18 charon 14[NET] <con1|23> received packet: from 82.132.224.191[34706] to 1.2.3.4[4500] (84 bytes) Jul 16 12:04:17 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (68 bytes) Jul 16 12:04:17 charon 14[ENC] <con1|23> generating IKE_AUTH response 5 [ EAP/SUCC ] Jul 16 12:04:17 charon 14[IKE] <con1|23> EAP method EAP_MSCHAPV2 succeeded, MSK established Jul 16 12:04:17 charon 14[IKE] <con1|23> RADIUS authentication of 'iphone' successful Jul 16 12:04:17 charon 14[IKE] <con1|23> received AUTH_LIFETIME of 275658943s, scheduling reauthentication in 275658403s Jul 16 12:04:17 charon 14[CFG] <con1|23> received RADIUS Access-Accept from server 'local_radius_database' Jul 16 12:04:17 charon 14[CFG] <con1|23> sending RADIUS Access-Request to server 'local_radius_database' Jul 16 12:04:17 charon 14[ENC] <con1|23> parsed IKE_AUTH request 5 [ EAP/RES/MSCHAPV2 ] Jul 16 12:04:17 charon 14[NET] <con1|23> received packet: from 82.132.224.191[34706] to 1.2.3.4[4500] (68 bytes) Jul 16 12:04:17 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (108 bytes) Jul 16 12:04:17 charon 14[ENC] <con1|23> generating IKE_AUTH response 4 [ EAP/REQ/MSCHAPV2 ] Jul 16 12:04:17 charon 14[CFG] <con1|23> received RADIUS Access-Challenge from server 'local_radius_database' Jul 16 12:04:17 charon 14[CFG] <con1|23> sending RADIUS Access-Request to server 'local_radius_database' Jul 16 12:04:17 charon 14[ENC] <con1|23> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] Jul 16 12:04:17 charon 14[NET] <con1|23> received packet: from 82.132.224.191[34706] to 1.2.3.4[4500] (132 bytes) Jul 16 12:04:17 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (100 bytes) Jul 16 12:04:17 charon 14[ENC] <con1|23> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] Jul 16 12:04:17 charon 14[CFG] <con1|23> received RADIUS Access-Challenge from server 'local_radius_database' Jul 16 12:04:17 charon 14[CFG] <con1|23> sending RADIUS Access-Request to server 'local_radius_database' Jul 16 12:04:17 charon 14[ENC] <con1|23> parsed IKE_AUTH request 3 [ EAP/RES/NAK ] Jul 16 12:04:17 charon 14[NET] <con1|23> received packet: from 82.132.224.191[34706] to 1.2.3.4[4500] (68 bytes) Jul 16 12:04:17 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (68 bytes) Jul 16 12:04:17 charon 14[ENC] <con1|23> generating IKE_AUTH response 2 [ EAP/REQ/PEAP ] Jul 16 12:04:17 charon 14[IKE] <con1|23> initiating EAP_PEAP method (id 0x01) Jul 16 12:04:17 charon 14[CFG] <con1|23> received RADIUS Access-Challenge from server 'local_radius_database' Jul 16 12:04:17 charon 14[CFG] <con1|23> sending RADIUS Access-Request to server 'local_radius_database' Jul 16 12:04:17 charon 14[IKE] <con1|23> received EAP identity 'iphone' Jul 16 12:04:17 charon 14[ENC] <con1|23> parsed IKE_AUTH request 2 [ EAP/RES/ID ] Jul 16 12:04:17 charon 14[NET] <con1|23> received packet: from 82.132.224.191[34706] to 1.2.3.4[4500] (76 bytes) Jul 16 12:04:17 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (624 bytes) Jul 16 12:04:17 charon 14[NET] <con1|23> sending packet: from 1.2.3.4[4500] to 82.132.224.191[34706] (1248 bytes) Jul 16 12:04:17 charon 14[ENC] <con1|23> generating IKE_AUTH response 1 [ EF(2/2) ] Jul 16 12:04:17 charon 14[ENC] <con1|23> generating IKE_AUTH response 1 [ EF(1/2) ] Jul 16 12:04:17 charon 14[ENC] <con1|23> splitting IKE message with length of 1812 bytes into 2 fragments Jul 16 12:04:17 charon 14[ENC] <con1|23> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] Jul 16 12:04:17 charon 14[IKE] <con1|23> sending end entity cert "C=GB, ST=County, L=Town, O=Blah Blah Blah, E=vpn@blahblahblan.net, CN=vpn.blahblahblan.net" Jul 16 12:04:17 charon 14[IKE] <con1|23> authentication of 'vpn.blahblahblan.net' (myself) with RSA signature successful Jul 16 12:04:17 charon 14[IKE] <con1|23> peer supports MOBIKE Jul 16 12:04:17 charon 14[IKE] <con1|23> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Jul 16 12:04:17 charon 14[IKE] <con1|23> initiating EAP_IDENTITY method (id 0x00) Jul 16 12:04:17 charon 14[CFG] <con1|23> selected peer config 'con1' Jul 16 12:04:17 charon 14[CFG] <23> looking for peer configs matching 1.2.3.4[vpn.blahblahblan.net]...82.132.224.191[10.8.7.115] Jul 16 12:04:17 charon 14[ENC] <23> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ] Jul 16 12:04:17 charon 14[ENC] <23> unknown attribute type (25) Jul 16 12:04:17 charon 14[NET] <23> received packet: from 82.132.224.191[34706] to 1.2.3.4[4500] (500 bytes) Jul 16 12:04:17 charon 08[NET] <23> sending packet: from 1.2.3.4[500] to 82.132.224.191[627] (341 bytes) Jul 16 12:04:17 charon 08[ENC] <23> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ] Jul 16 12:04:17 charon 08[IKE] <23> sending cert request for "C=GB, ST=County, L=Town, O=Blah Blah, E=vpn@blahblahblan.net, CN=Blah Blah Certification Authority" Jul 16 12:04:17 charon 08[IKE] <23> remote host is behind NAT Jul 16 12:04:17 charon 08[IKE] <23> 82.132.224.191 is initiating an IKE_SA Jul 16 12:04:17 charon 08[ENC] <23> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Jul 16 12:04:17 charon 08[NET] <23> received packet: from 82.132.224.191[627] to 1.2.3.4[500] (476 bytes) Jul 16 12:04:17 charon 08[NET] <22> sending packet: from 1.2.3.4[500] to 82.132.224.191[627] (38 bytes) Jul 16 12:04:17 charon 08[ENC] <22> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Jul 16 12:04:17 charon 08[IKE] <22> DH group MODP_2048 inacceptable, requesting MODP_1024 Jul 16 12:04:17 charon 08[IKE] <22> remote host is behind NAT Jul 16 12:04:17 charon 08[IKE] <22> 82.132.224.191 is initiating an IKE_SA Jul 16 12:04:17 charon 08[ENC] <22> parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ] Jul 16 12:04:17 charon 08[NET] <22> received packet: from 82.132.224.191[627] to 1.2.3.4[500] (604 bytes)```

Trying to route the same networks over OpenVPN as IPsec or some other conflict? Going to have to post more information.

Sorry - can't help with that message on the PA. Obviously doesn't like something. If all of the P2s hard fail the other side might send a disconnect for the P1 which pfSense will honor. Whatever the answer, the problem lies in the IPsec logs.

Hello, It was indeed this Firewall Rule. Once I removed the Gateway part, traffic started hitting the IPSec tunnel. Cheers for the help.

@gsmithe said in Disable old ciphers: SHA1 Hey gsmithe, i don't now your PCI scanner. Sometimes a scanner alerts at SHA1 too. Check your Phase1/Phase2 config. If the configuration for DES/3DES is unchecked, this is not your problem. Kind regards

Same issue here, 2.4.3-1

Many thanks!

The tunnel only work when the IP in the server is set manually but only in the 40.0/24 segment, dynamically don't work. The segment 41.0/24 does not send traffic to pfsense at all, even when the /23 is set up in Phase 2. Due to Policies and Prod enviroments working in another tunnels i can update the version.