Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC does not work with more than one Tunnel

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mnsmani
      last edited by

      I am writing background code for my pfsense box, so that the user need not enter any details.

      I have 3 machines. Site1, Site2 and Site3.

      When I configure Site1 to Site2 VPN - It works fine.

      When I configure Site1 to Site3 VPN, It works fine and Site1 to Site2 goes off. Open VPN page in Site2, click on save… everything is fine now. Site1 to Site2 is Okay, Site1 to Site3 is also Ok.

      Now with both Tunnels up and running, If I make changes in one site, then I am forced to reboot the other machines.... Why ?

      Is it enough to call vpn_ipsec_configure() or should I call something more....

      P1 Lifetime = P2 Lifetime = 288000

      The Log file is as follows

      Jun 4 06:00:05 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.99/32[0] 192.168.1.0/24[0] proto=any dir=out
      Jun 4 06:00:05 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
      Jun 4 06:00:05 racoon: INFO: IPsec-SA request for 172.16.10.168 queued due to no phase1 found.
      Jun 4 06:00:05 racoon: INFO: initiate new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
      Jun 4 06:00:05 racoon: INFO: begin Aggressive mode.
      Jun 4 06:00:07 racoon: INFO: IPsec-SA request for 172.16.10.172 queued due to no phase1 found.
      Jun 4 06:00:07 racoon: INFO: initiate new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.172[500]
      Jun 4 06:00:07 racoon: INFO: begin Aggressive mode.
      Jun 4 06:00:17 racoon: INFO: respond new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
      Jun 4 06:00:17 racoon: INFO: begin Aggressive mode.
      Jun 4 06:00:17 racoon: INFO: received Vendor ID: DPD
      Jun 4 06:00:17 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Jun 4 06:00:17 racoon: INFO: ISAKMP-SA established 172.16.10.171[500]-172.16.10.168[500] spi:678fef7ed669b4e4:3eb1553576a3c4de
      Jun 4 06:00:18 racoon: INFO: respond new phase 2 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
      Jun 4 06:00:18 racoon: INFO: initiate new phase 2 negotiation: 172.16.10.171[500]<=>172.16.10.168[500]
      Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.168[0]->172.16.10.171[0] spi=6575745(0x645681)
      Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.171[0]->172.16.10.168[0] spi=106017731(0x651b3c3)
      Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.168[0]->172.16.10.171[0] spi=150148462(0x8f3156e)
      Jun 4 06:00:18 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.16.10.171[0]->172.16.10.168[0] spi=65561386(0x3e8632a)
      Jun 4 06:00:25 racoon: INFO: received Vendor ID: DPD
      Jun 4 06:00:25 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Jun 4 06:00:25 racoon: INFO: ISAKMP-SA established 172.16.10.171[500]-172.16.10.168[500] spi:f3ed2a250c3855ba:ed8130594559277c
      Jun 4 06:00:27 racoon: ERROR: pfkey DELETE received: ESP 172.16.10.171[0]->172.16.10.168[0] spi=106017731(0x651b3c3)
      Jun 4 06:00:38 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 172.16.10.172[500]->172.16.10.171[500]
      Jun 4 06:00:38 racoon: INFO: delete phase 2 handler.
      Jun 4 06:00:52 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Jun 4 06:01:07 racoon: ERROR: phase1 negotiation failed due to time up. c69eb6d5597ee7b6:0000000000000000
      Jun 4 06:01:24 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 172.16.10.172[500]->172.16.10.171[500]
      Jun 4 06:01:24 racoon: INFO: delete phase 2 handler.
      Jun 4 06:01:24 racoon: INFO: IPsec-SA request for 172.16.10.172 queued due to no phase1 found.
      Jun 4 06:01:24 racoon: INFO: initiate new phase 1 negotiation: 172.16.10.171[500]<=>172.16.10.172[500]
      Jun 4 06:01:24 racoon: INFO: begin Aggressive mode

      As you can see 172.16.10.171 - 172.16.10.168 got established and 172.16.10.171 - 172.16.10.172 failed.
      If I restart / click save button in ipsec page of 172.16.10.172, then it will start working.
      Strange enough, but …. I'm lost.

      please help help help help

      1 Reply Last reply Reply Quote 0
      • M
        mnsmani
        last edited by

        Done. It was problem with SAD entries…. it was not getting refreshed. So, manually deleted the entries between the two boxes. In the next negotiation, it got the new entries and connection is Bingo.... Parsed the output of /sbin/setkey -D and used /sbin/setkey -c with delete commands [delete src dest protocol sip;]..

        1 Reply Last reply Reply Quote 0
        • S
          sullrich
          last edited by

          Fixed recently:

          http://cvs.pfsense.com/cgi-bin/cvsweb.cgi/pfSense/etc/inc/vpn.inc?rev=1.89.2.29.2.8;content-type=text%2Fplain

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.