Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnels crashing, unable to see status 2.5.2

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 976 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      erjaxa
      last edited by

      Hey,

      Our deployment consists of multiple sites, with ipsec tunnels between.
      Today, when I got back to work one of the tunnels had crashed, and I am unable to start it again. It seems to have crashed other of the IPsec tunnels that we have, and even when I disable the tunnel, it keeps generating log entries!
      The log entries:
      Nov 29 13:13:22 pfsense charon[68819]: 03[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {8}
      Nov 29 13:13:22 pfsense charon[68819]: 03[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {8}
      Nov 29 13:13:28 pfsense charon[68819]: 03[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {8}

      So, when disabling tunnel to y.y.y.y on x.x.x.x, these log entries still keep coming up...

      Config is:
      P1
      IKEv1
      Mutual PSK
      Neg mode: Aggressive
      Encryption Algorithm: AES 256 bit SHA1 DH 14(2048 Bit)
      NAT traversal: Auto
      13 P2s

      I am also unable to load the status in IPSec, its stuck in "Collecting IPsec status information.".
      After an restart of the machine, the other tunnels that crashed due to this worked for a little while.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There are numerous problems with IPsec status on 2.5.2 which have already been fixed on 2.6.0, including issues displaying tunnel status and starting/stopping specific tunnels.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • E
          erjaxa
          last edited by

          Thanks for the response. Is there any fixes that I can apply for the moment? We're experiencing problems due to this issue.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            No, the changes were too drastic to patch in bit by bit.

            There would be less risk in upgrading to a 2.6.0 snapshot at the moment than you'd have trying to backport the code changes. 2.6.0 is pretty stable at the moment.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • E
              erjaxa
              last edited by erjaxa

              Hey,

              This issue is now solved.
              What we did was:

              • Re-install pfsense on y.y.y.y
              • Restore configuration on y.y.y.y
              • Change protocols from IKEv1 to IKEv2 and P1 Hash from SHA1 to SHA256 on x.x.x.x and y.y.y.y
              • Change Child SA Close Action from Default to Restart/Reconnect on x.x.x.x and y.y.y.y
              • Changed NAT Traversal from Force to Auto on y.y.y.y (Was already set to Auto on x.x.x.x)
              • Enabled Dead Peer Detection on both x.x.x.x and y.y.y.y

              See my previous post, from the logs, to determine which host is x.x.x.x and y.y.y.y

              1 Reply Last reply Reply Quote 0
              • E
                erjaxa
                last edited by

                Also this:

                • Disabled "MOBIKE" on y.y.y.y (This feature was only enabled on y.y.y.y)
                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.