Double check your configuration. IKEv1, main mode? If you had something that worked, it came up, then you changed something so it no longer matches (like switching to IKEv2 for instance for that log), the already-negotiated connection would stay up for the lifetime. Then come time to rekey, it fails as the config is no longer valid.

Hi cmb,

thanks i have to restart the system and then wait for the error.

thank you
Thomas

You can check the "responder only" on phase 1 to accomplish that part of it.

Anyone?
I'm still trying to get this things working….
Thank you!

hi sorry for the delay, the pfense will be deployed under ESX on a DualXeonE5-2630V3 64GB RAM, the server will also contain 2 vm's for media delivery and proxy.
I was thinking on only one concentrator,  didnt know of the existence of hardware crypto accelerators.
100mbps of throughput is required over vpn. will this hardware suffice?
Server specs:
https://secure.iweb.com/en/classicServerFlex/classicServerFlex/?id=38d2233b4574e196403bbacfcf533339

The peers are cisco using vpn ipsec lan-to-lan with x.509 certificates.

edit: read about AES-NI, will this boost even if using 3des/sha?

Is that system the default gateway on your LAN? Can you get out to the Internet via that VPN, just not to your LAN?

The MAC of your machine is only locally-significant. Your traffic from the VPN, when it gets to your LAN, is sourced from the LAN NIC MAC of the firewall. Allow its MAC (see Status>Interfaces).

OK Thanks; I will try that.

Alfredo.

@dharrigan:

Hi,

Very similar. I've updated the bug report with the configuration I have, along with a log file of the connection attempt.

-=david=-

I had the exact same config.

You're sending traffic out, but the other side isn't replying. Likely the other side is blocking your requests, either on the Zywall, or on the destination host (host firewall).

I just disabled AES-NI and rebooted and it works for me as well.  We have dual redundant firewalls as they are production, so I will wait to update the second one entirely until 2.2.4 is ready.  I hope that is soon; disabling AES-NI seems to have a performance impact on our OpenVPN tunnel performance, as I suppose one should expect with AES-CBC. :P

Thanks for the help but I already figure out this problem.

@georgeman:

Hi guys, let me outline some issues I have found with RSA IPsec, which I already debugged, found the cause, workarounds and reported the bugs  ;)

georgeman, thank you, thank you, thank you!

I did suspect it was a data matching problem, thanks for proving it.

https://redmine.pfsense.org/issues/4791