Does anyone have any ideas how to stop this multiple tunnel issue.

I change the IP's in the config before posting it, thanks for the tip though.

Solved my problem

PFsense 1 still had his second connection cached (now used for pfsense2) There for expected the wrong ip

Also ran into not being able to ping but that was simple adding ICMP rule. Hope this might help some one else out

Well we need more info then: It doesn't work did you read this ?

http://doc.pfsense.org/index.php/VPN_Capability_IPsec

when checking into my own problems i saw this remembered it

http://doc.pfsense.org/index.php/IPsec_Troubleshooting

ERROR: pfkey DELETE received

You might see this message repeatedly as Phase 2 is renegotiated between two endpoints (for multiple subnets). The tunnels still work, but traffic may be delayed while the tunnel is switched/reestablished. (more research needed for possible solutions)

Try some of the suggestions here:

http://doc.pfsense.org/index.php/IPsec_Troubleshooting

And also you might double check the firewall rules on the pfSense side, and the Netscreen side if it is capable of filtering IPsec traffic.

It works from behind the pfsense box also now, esp protocol was still blocked.

thanks for the help and have a nice weekend !!!

I will check it out ..

thanks

@saxd40:

It appears that this issue still exists in 1.2.3-RELEASE.  I never had issues with IPsec tunnels in old versions of pfSense, but ever since I upgraded to 1.2-3-RELEASE 6 months or so ago I've been having intermittent issues with tunnels hanging.  In the last few days this has started being 3-5 outages per day (or more).

Are you using carp on the master site (two firewalls) ?

I'have a lot of ipsec tunnels, towards pfsense boxes and cisco routers (837,857 and 877).
I am using 'Prefer old IPsec SAs', and when A remote routers reboot (like AC loss) I must reboot the Firewall Master Node.
When 'Prefer old IPsec SAs' is off, the tunnel goes down after the phase1 lifetime.
From Ipsec status I always see green icons.

PS:I suggest to use openvpn (when you have firewalls on both sides :P )

Giacomo

Using the physical NIC directly and a VLAN on the same NIC is rarely a good idea.

Are you sure what you are trying to do with WAN/vlan1 actually makes sense?

Yes, it means WAN IP Address.

IPsec and NAT do not work together. There have been a couple attempts to make it work, the closest one being a bounty that was proposed last year sometime, but the person putting up the money pulled it out before someone with the knowledge to fix it could take the job.

I have added a few and I could go to their router, but could not ping from their side to my side.  I working with a major issue.  It looks like I lost my domain.  I trying to get that fixed and then I can work on my rules.  I get back up with you when I get it straight.
RC

i will assume that at the other end of the vpn, the vpn device there is working, heres what i do when i know a vpn should be up but isnt(i usually get errors similar to yours in the ipsec log):

1. go to vpn->ipsec
2. click the edit button
3. click save
4. it takes you back to the main ipsec screen, click apply, then click save on that same screen.

if that doesnt fix it delete and redo (i did this and it fixed my problem)

by removing ips, focalguy meant to edit your pictures that you posted (they have the actual ips) and remove the ips.

To JIMP,

Sorry for make trouble to you^^
i'll try ask for help in GAMING zone there.
thanks

changed mobile warrior to use 192.168 network and now it works fine.

What do you mean? Many tunnels can have the same PSK.

I have a similar problem, but in my case I have two wan connections each with its own WAN IP going back to the same remote site, configured with two different tunnels. I setup FQDN's as the identifiers but with no results. I can establish the the first Tunnel without a problem, but the second tunnel always fails phase 2 because phase 1 is incorrect. Oddly enough if I enable the second tunnel first then start the first tunnel and everything is great until the timetolive expires then I have the same problem.

For Example

Tunnel 1
Local IP : 1.1.1.1
Remote IP : 2.3.4.5

Tunnel 2
Local IP : 2.2.2.2
Remote IP : 2.3.4.5

Remote Site Settings
Local IP : 2.3.4.5
Remote IP 1: 1.1.1.1
Remote IP 2: 2.2.2.2

I get this for tunnel 1 and it works

racoon: [Tunnel 1]: INFO: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.3.4.5[500]

then tunnel 2 initiates and I get this, which never establishes unless I enabled it first.

racoon: [Tunnel 1]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>2.3.4.5[500]
racoon: [Tunnel 1]: INFO: IPsec-SA request for 2.3.4.5 queued due to no phase1 found.
racoon: ERROR: none message must be encrypted
racoon: ERROR: phase1 negotiation failed due to time up. 750d4b65cf70f0f1:07e5cb35030fb0fd
racoon: INFO: delete phase 2 handler.
racoon: [Tunnel 1]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 2.3.4.5[0]->2.2.2.2[0]
racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).
racoon: [Tunnel 1]: WARNING: the packet retransmitted in a short time from 2.3.4.5[500]
racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).
racoon: [Tunnel 1]: WARNING: the packet retransmitted in a short time from 2.3.4.5[500]
racoon: [Tunnel 1]: NOTIFY: the packet is retransmitted by 2.3.4.5[500] (1).

Shouldn't I receive this?

racoon: [Tunnel 2]: INFO: initiate new phase 1 negotiation: 2.2.2.2[500]<=>2.3.4.5[500]

Have you been able to find a fix for this, or I am doing something wrong here?