I have removed the check for Disable rekey. Should I be setting a margintime?

I am using distinquished name for the identifiers as that is what I have commonly used in similar setups. While the error continues to point to a PSK mismatch, the keys match, I have copied the key from one configuration page to the other.

Here are some more logs following the changes

Aug 16 08:56:31 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 3744141107 processing failed Aug 16 08:56:31 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:31 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:31 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:31 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:31 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:30 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:30 charon 12[IKE] <con1000|2> sending retransmit 2 of request message ID 0, seq 3 Aug 16 08:56:23 charon 12[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 468255107 processing failed Aug 16 08:56:23 charon 12[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:23 charon 12[IKE] <con1000|2> message parsing failed Aug 16 08:56:23 charon 12[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:23 charon 12[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:23 charon 12[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:23 charon 12[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:23 charon 12[IKE] <con1000|2> sending retransmit 1 of request message ID 0, seq 3 Aug 16 08:56:19 charon 10[IKE] <con1000|2> INFORMATIONAL_V1 request with message ID 2140660544 processing failed Aug 16 08:56:19 charon 10[IKE] <con1000|2> ignore malformed INFORMATIONAL request Aug 16 08:56:19 charon 10[IKE] <con1000|2> message parsing failed Aug 16 08:56:19 charon 10[ENC] <con1000|2> could not decrypt payloads Aug 16 08:56:19 charon 10[ENC] <con1000|2> invalid HASH_V1 payload length, decryption failed? Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> local host is behind NAT, sending keep alives Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (396 bytes) Aug 16 08:56:19 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (396 bytes) Aug 16 08:56:19 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Aug 16 08:56:19 charon 10[IKE] <con1000|2> received NAT-T (RFC 3947) vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received FRAGMENTATION vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received DPD vendor ID Aug 16 08:56:19 charon 10[IKE] <con1000|2> received XAuth vendor ID Aug 16 08:56:19 charon 10[ENC] <con1000|2> parsed ID_PROT response 0 [ SA V V V V ] Aug 16 08:56:19 charon 10[NET] <con1000|2> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (160 bytes) Aug 16 08:56:18 charon 10[NET] <con1000|2> sending packet: from 10.X.6.2[500] to 50.X.X.149[500] (180 bytes) Aug 16 08:56:18 charon 10[ENC] <con1000|2> generating ID_PROT request 0 [ SA V V V V V ] Aug 16 08:56:18 charon 10[IKE] <con1000|2> initiating Main Mode IKE_SA con1000[2] to 50.X.X.149 Aug 16 08:56:18 charon 12[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:52:53 charon 12[IKE] <con1000|1> establishing IKE_SA failed, peer not responding Aug 16 08:52:53 charon 12[IKE] <con1000|1> giving up after 5 retransmits Aug 16 08:52:06 charon 07[CFG] ignoring acquire, connection attempt pending Aug 16 08:52:06 charon 05[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:41 charon 16[KNL] creating acquire job for policy 10.X.6.2/32|/0 === 50.X.X.149/32|/0 with reqid {4} Aug 16 08:51:40 ipsec_starter 62014 'con1000' routed Aug 16 08:51:40 charon 14[CFG] received stroke: route 'con1000' Aug 16 08:51:40 charon 16[CFG] added configuration 'con1000' Aug 16 08:51:40 charon 16[CFG] received stroke: add connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 'bypasslan' shunt PASS policy installed Aug 16 08:51:40 charon 13[CFG] received stroke: route 'bypasslan' Aug 16 08:51:40 charon 14[CFG] added configuration 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: add connection 'bypasslan' Aug 16 08:51:40 charon 15[CFG] deleted connection 'con1000' Aug 16 08:51:40 charon 15[CFG] received stroke: delete connection 'con1000' Aug 16 08:51:40 ipsec_starter 62014 configuration 'con1000' unrouted Aug 16 08:51:40 charon 13[CFG] received stroke: unroute 'con1000' Aug 16 08:51:40 charon 14[CFG] deleted connection 'bypasslan' Aug 16 08:51:40 charon 14[CFG] received stroke: delete connection 'bypasslan' Aug 16 08:51:40 ipsec_starter 62014 shunt policy 'bypasslan' uninstalled Aug 16 08:51:40 charon 15[CFG] received stroke: unroute 'bypasslan' Aug 16 08:51:40 charon 13[CFG] rereading crls from '/usr/local/etc/ipsec.d/crls' Aug 16 08:51:40 charon 13[CFG] rereading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Aug 16 08:51:40 charon 13[CFG] rereading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Aug 16 08:51:40 charon 13[CFG] rereading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Aug 16 08:51:40 charon 13[CFG] rereading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Aug 16 08:51:40 charon 13[CFG] loaded IKE secret for %any @sitea.sitea-to-siteb Aug 16 08:51:40 charon 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Aug 16 08:51:40 charon 13[CFG] rereading secrets Aug 16 08:51:37 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:51:37 charon 08[IKE] <con1000|1> sending retransmit 5 of request message ID 0, seq 3 Aug 16 08:50:55 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:55 charon 08[IKE] <con1000|1> sending retransmit 4 of request message ID 0, seq 3 Aug 16 08:50:32 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2027756021 processing failed Aug 16 08:50:32 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:32 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:32 charon 08[ENC] <con1000|1> could not decrypt payloads Aug 16 08:50:32 charon 08[ENC] <con1000|1> invalid HASH_V1 payload length, decryption failed? Aug 16 08:50:32 charon 08[NET] <con1000|1> received packet: from 50.X.X.149[500] to 10.X.6.2[500] (92 bytes) Aug 16 08:50:32 charon 08[NET] <con1000|1> sending packet: from 10.X.6.2[4500] to 50.X.X.149[4500] (124 bytes) Aug 16 08:50:32 charon 08[IKE] <con1000|1> sending retransmit 3 of request message ID 0, seq 3 Aug 16 08:50:19 charon 08[IKE] <con1000|1> INFORMATIONAL_V1 request with message ID 2405277567 processing failed Aug 16 08:50:19 charon 08[IKE] <con1000|1> ignore malformed INFORMATIONAL request Aug 16 08:50:19 charon 08[IKE] <con1000|1> message parsing failed Aug 16 08:50:19 charon 08[ENC] <con1000|1> could not decrypt payloads

You are going to have to do what you need to do on those upstream devices to make it work, it sounds like.

If they can do some sort of PPPoE pass through so pfSense itself is the PPPoE client you will probably be happier.

If not, the first thing I would check is that IPsec on both sides is set to use the public IP address as the identifier.

If you just set My IP Address as My Identifier on the left side and connect to 124.107.X.X, and they are configured to expect 180.190.y.y as the identifier, it won't work.

If you configure the left side to be My Identifier: IP Address: 180.190.y.y it might work.

If those PPPoE addresses are not static (you get the same assignment every time), but dynamic (they change), you will probably have to move to setting the IDs on both sides to a distinguished name set to a dynamic DNS name that change with the PPPoE address.

PPPoE pass through on the ISP devices is probably the easiest thing.

It works now - either from updating pfSense to 2.4.x or ensuring that both P1 and P2 are enabled (I thought they were to begin with).

Is secondary peer supported on the PFSense? How does the PFSense react on two tunnels with the same phase 2 entires - while one of them is disabled and the other one is active? What would be a best practice and/or recommendation to run IPSec redundancy? Is route based VPN supported on the device? If so, any particular notes on NATs/Rules?

1- No. You can use a dynamic hostname, but that's another discussion.
2- Not sure what your issue is, I have used disabled tunnels at several sites. Just disable the primary on both sites, clear any active sessions, and enable the secondary on both sides.
3- Skipping this, it varies based on situation.
4- See the release notes for the upcoming 2.4.4 release for routed IPSec.

Changed the client's metric. Ethernet > VPN.

So turns out that the SITE1 IP address changed last night. Even though I'm using Dynamic DNS on both ends and both ends recognized the change, the tunnel would not reconnect until a reboot which has now fixed the issue. Weird one.

You need to add Phase 2 entries to your existing tunnels to carry that traffic.

On the tunnel from 1-2:

Phase 2 for 1-2 Phase 2 for 3-2

On the tunnel from 1-3:

Phase 2 for 1-3 Phase 2 for 2-3

And then on the other end of each tunnel, reverse the local/remote as usual. Make sure all of those are allowed in firewall rules as well.

Is this already fixed? I think we are having same issue. How did you fixed it?

Update: I've upgraded to 2.4.3-RELEASE-p1 switched back to IPSec from OpenVPN and haven't experienced the issue ~72hrs and counting.

Yes you are right, it works now! (in fact, in the meantime, I tried using PSK auth, and same issue with bad identifiers but error messages were more relevant for me).

solution for anyone who would have this issue => use altNames values of certificates (get it with "ipsec listcerts" command) in the leftid/rightid strongswan's tunnel parameters.

Thanks for your reply.

yes site 2 site vpn with ipsec

Glad you got it working. Thanks for letting us know.

We can get the VPN to connect for a little while but we can't ping through it even though we have a Firewall rule set for IPSec.

Firewall rules on the IPsec tab would be for allowing pings originating from the other side.

Be sure you are pinging from something interesting to IPsec, as in from a source address that is in the Local Network portion of a phase 2. You can set a source interface to something like LAN if you're using Diagnostics > Ping.

What do the logs on the Draytek say?

pfSense can't tell you why the Draytek sent the delete command, only the Draytek can.

IPsec tunnels don't "route"¹ , they use Phase 2 definitions to setup Security Associations that define which traffic will be able to cross each tunnel.

So you need to add Phase 2 entries to both ends of every tunnel to match every combination of traffic you hope to send across the tunnel. So if you have tunnels A-B and A-C, you need phase 2 entries on A-B to pass traffic from B-C and on A-C to pass C-B and vice versa.

¹ well, until 2.4.4 and they have to support VTI