Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HELP: Tunnel (IPSec site2site) crashes

    IPsec
    1
    2
    1.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      twaldorf
      last edited by

      Hello,

      a tunnel to another firewall (WatchGuard) crashes all the time. If I reboot the WatchGuard the tunnel comes up and is stable for about 20 minutes.

      Then I can't ping anything behind the remote network. pfSense shows the tunnel green.

      I triple-checked all settings on both sides. They are correct and matches each others. Also I have some more tunnel also to the same WatchGuard model on other locations which runs fine. ?!?!

      The log looks like that:

      Mar 6 12:33:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=419700228(0x19041e04)
Mar 6 12:33:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=81857727(0x4e10cbf)
Mar 6 12:33:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:32:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=386168361(0x17047629)
Mar 6 12:32:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=171522698(0xa393a8a)
Mar 6 12:32:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:30:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=369378058(0x1604430a)
Mar 6 12:30:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=230508035(0xdbd4603)
Mar 6 12:30:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:28:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=352628600(0x1504af78)
Mar 6 12:28:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=205174151(0xc3ab587)
Mar 6 12:28:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:27:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=335823156(0x14044134)
Mar 6 12:27:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=60544180(0x39bd4b4)
Mar 6 12:27:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:25:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=319092741(0x1304f805)
Mar 6 12:25:41 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=102304542(0x6190b1e)
Mar 6 12:25:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:23:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=302306069(0x1204d315)
Mar 6 12:23:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=231237319(0xdc866c7)
Mar 6 12:23:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:21:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=285515278(0x11049e0e)
Mar 6 12:21:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=49559776(0x2f438e0)
Mar 6 12:21:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:20:13 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=268761948(0x1004fb5c)
Mar 6 12:20:13 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=68504696(0x4154c78)
Mar 6 12:20:13 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=251953724(0xf04823c)
Mar 6 12:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=147442758(0x8c9cc46)
Mar 6 12:18:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:17:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=235165253(0xe045645)
Mar 6 12:17:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=41630216(0x27b3a08)
Mar 6 12:17:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=218422032(0xd04db10)
Mar 6 12:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=236983326(0xe20141e)
Mar 6 12:15:41 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:13:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=201608003(0xc044b43)
Mar 6 12:13:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=10053598(0x9967de)
Mar 6 12:13:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 12:11:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=184825402(0xb04363a)
Mar 6 12:11:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=208954640(0xc746510)
Mar 6 12:11:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]

      Thank you for any help!

      Best regards,

      Thorsten

      1 Reply Last reply Reply Quote 0
      • T
        twaldorf
        last edited by

        Found one wrong setting in Advanced ("Prefer older SAs"). The tunnel itself stays up now (I can ping all the time), but the log nevertheless looks not good:

        Mar 6 13:36:52 	racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254)
Mar 6 13:35:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=822348144(0x31040970)
Mar 6 13:35:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=251902539(0xf03ba4b)
Mar 6 13:35:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:32:12 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b)
Mar 6 13:30:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=755278420(0x2d04a254)
Mar 6 13:30:43 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=171853136(0xa3e4550)
Mar 6 13:30:43 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:28:56 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735)
Mar 6 13:28:56 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019)
Mar 6 13:27:52 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=738466939(0x2c041c7b)
Mar 6 13:27:52 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=92006427(0x57be81b)
Mar 6 13:27:52 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:25:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=704921625(0x2a044019)
Mar 6 13:25:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=94974923(0x5a933cb)
Mar 6 13:25:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:19:44 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79)
Mar 6 13:19:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=671405877(0x2804d735)
Mar 6 13:19:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=246440033(0xeb06061)
Mar 6 13:19:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:18:46 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c)
Mar 6 13:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=654630777(0x2704df79)
Mar 6 13:18:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=73550287(0x46249cf)
Mar 6 13:18:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Mar 6 13:16:43 	racoon: ERROR: pfkey DELETE received: ESP x.x.x.x[500]->x.x.x.x[500] spi=621059908(0x25049f44)
Mar 6 13:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=637839420(0x2604a83c)
Mar 6 13:15:42 	racoon: [xxx]: INFO: IPsec-SA established: ESP x.x.x.x[500]->x.x.x.x[500] spi=182947104(0xae78d20)
Mar 6 13:15:42 	racoon: [xxx]: INFO: respond new phase 2 negotiation: x.x.x.x[500]<=>x.x.x.x[500]

        Any idea?

        Both sides work with static IPs - I say this because the error in line 1 looks like I try to connect to a dynamic IP address…

        Thanks for ANY help!

        Best regards,

        Thorsten

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.