Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC fails after Restore to new Hardware

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 498 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      GraKez
      last edited by

      Hello everyone,

      I am testing disaster recovery processes, and one is to confirm the ablity to replace a dead router.

      After taking a fresh backup, I installed the same pfsense version (2.3.3) to new hardware and then did a restore.
      Internet is up, firewalls & port forwards all work but . . . IPSEC refuses to connect to the other branch.

      If I swap back to the original router the tunnels come up and traffic passes as expected.
      Back to the new router, and I even tried deleting the IPSEC details and recreating from scratch.
      Also, I remotely rebooted the router at the other end, but still no go.

      It is almost as if its peer (another pfsense router) knows something is different???

      IPSEC is Static IP4 to Static IP4 using Mutual PSK
      P1: Encryption is AES128-GCM, SHA1, DH Group 2, Dead Peer Detection Enabled
      P2: Protocol ESP, Encryption AES128-GCM, SHA1

      System Log –> IPSEC Shows:

      Mar 6 14:19:31 charon 16[IKE] <con2|1>retransmit 1 of request with message ID 0
      Mar 6 14:19:31 charon 16[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
      Mar 6 14:19:33 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
      Mar 6 14:19:39 charon 16[IKE] <con2|1>retransmit 2 of request with message ID 0
      Mar 6 14:19:39 charon 16[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
      Mar 6 14:19:48 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
      Mar 6 14:19:48 charon 05[CFG] ignoring acquire, connection attempt pending
      Mar 6 14:19:52 charon 05[IKE] <con2|1>retransmit 3 of request with message ID 0
      Mar 6 14:19:52 charon 05[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
      Mar 6 14:19:56 charon 05[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
      Mar 6 14:19:56 charon 16[CFG] ignoring acquire, connection attempt pending
      Mar 6 14:20:15 charon 16[IKE] <con2|1>retransmit 4 of request with message ID 0
      Mar 6 14:20:15 charon 16[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
      Mar 6 14:20:17 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
      Mar 6 14:20:17 charon 14[CFG] ignoring acquire, connection attempt pending
      Mar 6 14:20:38 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
      Mar 6 14:20:38 charon 13[CFG] ignoring acquire, connection attempt pending
      Mar 6 14:20:57 charon 09[IKE] <con2|1>retransmit 5 of request with message ID 0
      Mar 6 14:20:57 charon 09[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
      Mar 6 14:20:58 charon 09[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
      Mar 6 14:20:58 charon 12[CFG] ignoring acquire, connection attempt pending
      Mar 6 14:21:00 charon 12[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
      Mar 6 14:21:00 charon 09[CFG] ignoring acquire, connection attempt pending

      Thank you in advance for any help</con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1>

      1 Reply Last reply Reply Quote 0
      • G
        GraKez
        last edited by

        I have logged into the router at the other end, and it has almost the same messages (over & over) in the IPSEC log:

        Mar 6 16:30:12 charon 05[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
        Mar 6 16:30:12 charon 05[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
        Mar 6 16:30:12 charon 06[CFG] ignoring acquire, connection attempt pending
        Mar 6 16:30:12 charon 06[CFG] ignoring acquire, connection attempt pending
        Mar 6 16:30:14 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
        Mar 6 16:30:14 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
        Mar 6 16:30:14 charon 13[CFG] ignoring acquire, connection attempt pending
        Mar 6 16:30:14 charon 13[CFG] ignoring acquire, connection attempt pending
        Mar 6 16:30:17 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
        Mar 6 16:30:17 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
        Mar 6 16:30:17 charon 05[CFG] ignoring acquire, connection attempt pending
        Mar 6 16:30:17 charon 05[CFG] ignoring acquire, connection attempt pending

        Maybe I need to change the level of logging?
        Or need to look at a different log?

        Also in the IPSEC Status screen I can see the connecting trying twice in parallel (see attached image)

        IPSEC_Status.JPG
        IPSEC_Status.JPG_thumb

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.