Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange this happening

    IPsec
    2
    5
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jonb
      last edited by

      I have one site that has a number of tunnels to a number of sites. One poticular site is giving me problems though. In the errr logs I am getting this.

      Oct 15 22:09:43 racoon: [Jonathan]: NOTIFY: the packet is retransmitted by 78.86.187.XXX[500].
      Oct 15 22:09:35 racoon: INFO: delete phase 2 handler.
      Oct 15 22:09:35 racoon: [Jonathan]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 78.86.187.XXX[0]->90.152.51.XXX[0]
      Oct 15 22:09:33 last message repeated 2 times
      Oct 15 22:09:13 racoon: [Jonathan]: NOTIFY: the packet is retransmitted by 78.86.187.XXX[500].
      Oct 15 22:09:04 racoon: INFO: received Vendor ID: DPD
      Oct 15 22:09:04 racoon: INFO: begin Identity Protection mode.
      Oct 15 22:09:04 racoon: [Jonathan]: INFO: initiate new phase 1 negotiation: 90.152.51.XXX[500]<=>78.86.187.XXX[500]
      Oct 15 22:09:04 racoon: [Jonathan]: INFO: IPsec-SA request for 78.86.187.XXX queued due to no phase1 found.

      I am getting the same thing on both sides.

      In the state table I get this

      udp 90.152.51.XXX:500 -> 78.86.187.XXX:500 MULTIPLE:MULTIPLE

      As far as I can understand each site can't see each other. It is only this link causing problems though. I am able to remote control the other site so I am very confused. I have advace about NAT on just stopping the sip PBX natting that is all. Anyone know were to start on this one?

      Hosted desktops and servers with support without complication.
      www.blueskysystems.co.uk

      1 Reply Last reply Reply Quote 0
      • J
        Jonb
        last edited by

        I have done some more investigating and openVPN works but ipsec still doesn't. Both pfsense is on 1.2 and still getting the error messages above. Does anyone have any idears.

        Hosted desktops and servers with support without complication.
        www.blueskysystems.co.uk

        1 Reply Last reply Reply Quote 0
        • J
          Jonb
          last edited by

          After looking into this more if I delete the Tunnels and recreate them it then works fine again.

          Hosted desktops and servers with support without complication.
          www.blueskysystems.co.uk

          1 Reply Last reply Reply Quote 0
          • T
            techneck
            last edited by

            I had exactly similar errors doing multiple VPNs between the same sites, for multiple networks.
            I had found some reference to using unique "My Identifier"s for each VPN, but I got the same results you're getting.
            I can't find any (useful) documentation on the "My Identifier" field.
            And, I've never had much luck getting it to work with anything other than setting the "My Identifier" option to "My IP Address" and leaving the field blank.

            And, yes, they do temporarily work and then fail. Deleting them and recreating them can cause them to work for a while, but then they fail again, with the "NOTIFY: the packet is retransmitted" errors you show.
            Only works reliably for me for a single VPN per site <-> site.
            If I need multiple networks (which I do), I aggregate subnets. 10.10.0.0/16 for all 10.10.x.x.
            Even if the router is only on, say, 10.10.10.0/30 it still works as long as it has static routes for each subnet you actually want.

            1 Reply Last reply Reply Quote 0
            • J
              Jonb
              last edited by

              Creating only a one way tunnel worked for me.

              Hosted desktops and servers with support without complication.
              www.blueskysystems.co.uk

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.