IPsec tunnel UP but unable to ping remote site

newbieuser1234

dumb question, but can you access the webconfigurator on the remote lan?  Are you running snort or anything that could be blocking them.  I added some aliases and whitelisted my ipsec tunnel addresses in snort.  just a thought.

netsysadmin

At this point, no question is dumb.
No, I cannot access the webconfigurator via its remote local IP address.
But, I do have access to it via a public NATted IP address, i.e., I can make any change if required.

Snort is not installed on either pfSense.
Only ntop is installed on the remote one.
On the local one, HAVP (not enabled/running), iftop & mailreport are installed.

Thank you for trying to help.

newbieuser1234

What do the ipsec logs say?

netsysadmin

Local IPsec log:

Jan 14 20:01:22 racoon: [Remote Site]: INFO: IPsec-SA established: ESP A.B.14.125[500]->X.Y.45.57[500] spi=13794811(0xd27dfb)
Jan 14 20:01:22 racoon: [Remote Site]: INFO: IPsec-SA established: ESP A.B.14.125[500]->X.Y.45.57[500] spi=256623936(0xf4bc540)
Jan 14 20:01:22 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 14 20:01:22 racoon: [Remote Site]: INFO: ISAKMP-SA established A.B.14.125[500]-X.Y.45.57[500] spi:f9a7f6f8365b050a:7bc3360f027abf56
Jan 14 20:01:21 racoon: [Remote Site]: INFO: initiate new phase 1 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 14 20:01:21 racoon: [Remote Site]: INFO: IPsec-SA request for X.Y.45.57 queued due to no phase1 found.

Remote IPsec log:

Jan 14 20:01:22 racoon: [Local Site]: INFO: IPsec-SA established: ESP X.Y.45.57[500]-> A.B.14.125[500] spi=256623936(0xf4bc540)
Jan 14 20:01:22 racoon: [Local Site]: INFO: IPsec-SA established: ESP X.Y.45.57[500]-> A.B.14.125[500] spi=13794811(0xd27dfb)
Jan 14 20:01:22 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=> A.B.14.125[500]
Jan 14 20:01:22 racoon: [Local Site]: [ A.B.14.125] INFO: received INITIAL-CONTACT
Jan 14 20:01:22 racoon: [Local Site]: INFO: ISAKMP-SA established X.Y.45.57[500]- A.B.14.125[500] spi:f9a7f6f8365b050a:7bc3360f027abf56
Jan 14 20:01:21 racoon: [Local Site]: INFO: respond new phase 1 negotiation: X.Y.45.57[500]<=> A.B.14.125[500]

netsysadmin

Below is an extract of the file /tmp/rules.debug:

# Outbound NAT rules
nat on $WAN_MAIN  proto udp from any to X.Y.45.56/29 port 500 -> A.B.14.125/32  static-port
nat on $WAN_MAIN  proto esp from any to X.Y.45.56/29 -> A.B.14.125/32 port 1024:65535

anchor "ipsec/*"
# Block all IPv6
block in log quick inet6 all label "Block all IPv6"
block out log quick inet6 all label "Block all IPv6"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"
block in log quick proto carp from (self) to any
pass quick proto carp

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout> to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $LAN_VLAN6 from <bogons> to any label "block bogon IPv4 networks from LAN_VLAN6"
antispoof for re1_vlan6
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN_MAIN from <bogons> to any label "block bogon IPv4 networks from WAN_MAIN"
antispoof for re2_vlan11
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( re2_vlan11 10.0.0.1 ) from 10.0.0.253 to !10.0.0.0/16 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( re2_vlan11 10.0.0.1 ) from A.B.14.122 to !A.B.14.122/32 keep state allow-opts label "let out anything from firewall host itself"
pass out route-to ( re2_vlan11 10.0.0.1 ) from A.B.14.125 to !A.B.14.125/32 keep state allow-opts label "let out anything from firewall host itself"
pass out on $IPsec all keep state label "IPsec internal host to host"

# User-defined rules follow

anchor "userrules/*"
pass  in  quick  on $IPsec inet from any to any keep state  label "USER_RULE"
# array key "wan" does not exist for "" in array: {LAN_VLAN6 WAN_MAIN IPsec } label "USER_RULE"
# array key "lan" does not exist for "Default allow LAN to any rule" in array: {LAN_VLAN6 WAN_MAIN IPsec } label "USER_RULE: Default allow LAN to any rule"
pass  in  quick  on $LAN_VLAN6 inet from 10.6.0.253/16 to any keep state  label "USER_RULE"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 ) inet from $VPN_ALL_REMOTE_LANs to 10.6.0.253/16 keep state label "USER_RULE"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 ) inet proto esp  from $VPN_REMOTE_ENDPOINTS to A.B.14.122 keep state label "USER_RULE: Tunnel VPN IPSec"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 ) inet proto esp  from $VPN_REMOTE_ENDPOINTS to A.B.14.125 keep state label "USER_RULE: Tunnel VPN IPSec"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 ) inet proto udp  from $VPN_REMOTE_ENDPOINTS port 500 to A.B.14.122 port 500 keep state label "USER_RULE: Tunnel VPN IPSec"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 ) inet proto udp  from $VPN_REMOTE_ENDPOINTS port 500 to A.B.14.125 port 500 keep state label "USER_RULE: Tunnel VPN IPSec"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 ) inet proto udp  from $VPN_REMOTE_ENDPOINTS to A.B.14.122 port 500 keep state label "USER_RULE: Tunnel VPN IPSec"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 ) inet proto udp  from $VPN_REMOTE_ENDPOINTS to A.B.14.125 port 500 keep state label "USER_RULE: Tunnel VPN IPSec"
pass  in  quick  on $WAN_MAIN reply-to ( re2_vlan11 10.0.0.1 )  proto tcp  from $NET_VPNs to 10.6.0.253/16 flags S/SA keep state label "USER_RULE"
# array key "opt5" does not exist for "" in array: {LAN_VLAN6 WAN_MAIN IPsec } label "USER_RULE"
# array key "opt5" does not exist for "LAN 2" in array: {LAN_VLAN6 WAN_MAIN IPsec } label "USER_RULE: LAN 2"
# array key "opt5" does not exist for "LAN 2" in array: {LAN_VLAN6 WAN_MAIN IPsec } label "USER_RULE: LAN 2"
# array key "opt5" does not exist for "LAN 2" in array: {LAN_VLAN6 WAN_MAIN IPsec } label "USER_RULE: LAN 2"
# Could not locate interface for IPsec:  Remote Site</bogons></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>

Maybe this can help find the problem.

Thank you

netsysadmin

The file /tmp/rules.debug contains some references to snort, but this package is not listed in the list of installed packages!
Is this normal?

newbieuser1234

I am not sure.  Can you just roll back the 2.1 install to 2.0.3 if your others are working fine? I have seen some other threads with ipsec issues and 2.1.

netsysadmin

I will try to do that as a final resort.

Today, I deleted the SADs & SPDs for this tunnel via the Status->IPsec menu on both pfSense boxes.
Then, I manually initiated the tunnel connection from the local pfSense. This time, the tunnel is NOT being established successfully!

Below are extracts of the IPsec logs on both pfSense boxes:

Local IPsec log:

Jan 16 10:31:44 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:31:34 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:31:04 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:31:01 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:30:31 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:30:29 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:29:59 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:29:57 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:29:27 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:29:26 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:28:56 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:28:53 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:28:23 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:28:22 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:28:03 racoon: INFO: purged ISAKMP-SA spi=a4af563fc9c5cfbe:9175d41fd1b77719.
Jan 16 10:28:03 racoon: INFO: purged IPsec-SA spi=149356395.
Jan 16 10:28:03 racoon: INFO: purged IPsec-SA spi=253417779.
Jan 16 10:28:03 racoon: INFO: purged IPsec-SA spi=2546232902.
Jan 16 10:28:03 racoon: INFO: purging ISAKMP-SA spi=a4af563fc9c5cfbe:9175d41fd1b77719.
Jan 16 10:27:52 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:27:47 racoon: INFO: unsupported PF_KEY message REGISTER
Jan 16 10:27:44 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:27:42 racoon: ERROR: X.Y.45.57 give up to get IPsec-SA due to time up to wait.
Jan 16 10:27:12 racoon: [Remote Site]: INFO: initiate new phase 2 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:27:12 racoon: [Remote Site]: INFO: ISAKMP-SA established A.B.14.125[500]-X.Y.45.57[500] spi:4ddb97edf7f2b86d:248b8de8d4a475b7
Jan 16 10:27:12 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 16 10:27:12 racoon: INFO: received Vendor ID: DPD
Jan 16 10:27:10 racoon: INFO: begin Identity Protection mode.
Jan 16 10:27:10 racoon: [Remote Site]: INFO: initiate new phase 1 negotiation: A.B.14.125[500]<=>X.Y.45.57[500]
Jan 16 10:27:10 racoon: [Remote Site]: INFO: IPsec-SA request for X.Y.45.57 queued due to no phase1 found.

Remote IPsec log:

Jan 16 10:32:18 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:32:18 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:32:18 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:32:18 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:32:04 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:32:04 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:32:04 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:32:04 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:31:54 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:31:54 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:31:54 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:31:54 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:31:44 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:31:44 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:31:44 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:31:44 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:31:24 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:31:24 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:31:24 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:31:24 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:31:14 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:31:14 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:31:14 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:31:14 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:31:04 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:31:04 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:31:04 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:31:04 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:30:51 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:30:51 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:30:51 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:30:51 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:30:41 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:30:41 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:30:41 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:30:41 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:30:31 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:30:31 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:30:31 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:30:31 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:30:19 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:30:19 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:30:19 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:30:19 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:30:09 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:30:09 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:30:09 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:30:09 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:29:59 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:29:59 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:29:59 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:29:59 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:29:47 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:29:47 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:29:47 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:29:47 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:29:37 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:29:37 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:29:37 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:29:37 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:29:27 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:29:27 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:29:27 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:29:27 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:29:16 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:29:16 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:29:16 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:29:16 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:29:06 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:29:06 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:29:06 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:29:06 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:28:56 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:28:56 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:28:56 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:28:56 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:28:43 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:28:43 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:28:43 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:28:43 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:28:33 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:28:33 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:28:33 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:28:33 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:28:23 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:28:23 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:28:23 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:28:23 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:28:12 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:28:12 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:28:12 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:28:12 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:28:02 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:28:02 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:28:02 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:28:02 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:27:52 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:27:52 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:27:52 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:27:52 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:27:44 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:27:44 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:27:44 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:27:44 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:27:32 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:27:32 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:27:32 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:27:32 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:27:22 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:27:22 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:27:22 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:27:22 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:27:12 racoon: [Local Site]: [A.B.14.125] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
Jan 16 10:27:12 racoon: ERROR: failed to get proposal for responder.
Jan 16 10:27:12 racoon: ERROR: no policy found: 10.6.0.0/16[0] 192.168.6.0/24[0] proto=any dir=in
Jan 16 10:27:12 racoon: [Local Site]: INFO: respond new phase 2 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]
Jan 16 10:27:12 racoon: [Local Site]: INFO: ISAKMP-SA established X.Y.45.57[500]-A.B.14.125[500] spi:4ddb97edf7f2b86d:248b8de8d4a475b7
Jan 16 10:27:10 racoon: INFO: received Vendor ID: DPD
Jan 16 10:27:10 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Jan 16 10:27:10 racoon: INFO: begin Identity Protection mode.
Jan 16 10:27:10 racoon: [Local Site]: INFO: respond new phase 1 negotiation: X.Y.45.57[500]<=>A.B.14.125[500]

There seems to be a problem during phase 2 negotiation, but after checking the 2 configs, I don't find any problem with both phase 2 parameters.

netsysadmin

I edited both phase 2 configs & set the the lifetimes to be 3600 (they were 86400) and saved the configs.
Then, I refreshed the IPsec status pages and the tunnel showed as "active".

But of course, I still cannot ping/access the other network!

I restored the lifetimes back to 86400 and the tunnel is still showing as "active", but the remote network is still not accessible from the local network, and vice-versa.

Strange?

netsysadmin

2 days ago, I restarted the local pfSense box (version 2.1), then pinged a couple of hosts on the remote LAN and the pings were successful!
Now, it's not working again  :( /  >:(

It seems there must be a problem with IPsec on 2.1.
As soon as I get some time, I'll install version 2.0.3 and see whether the problem persists.

Thank you.

netsysadmin

I upgraded to the 2.1.1 PRE-RELEASE version without any success.

wahn

So i got this Problem too and i rollback on 2.0.3 and it works i think there is aproblem with the routing in version 2.1 on an upgrade it works but install doesn`t i hope it can helps bb

newbieuser1234

Why are hesitant to roll back to 2.0.3?

netsysadmin

Yes, you are right.
I am trying everything possible before the last resort of rolling back to 2.0.3.
I think I got used to the interface, the traffic shaping queue status, …

I'm even trying OpenVPN, but having the same problem, which is making me wonder whether the problem is elsewhere!
The OpenVPN tunnel is UP, but I'm unable to access either remote LAN hosts.

Will update this post if I do find the cause of this problem.

lexl

We have the same problem, tunnel is up but no traffic in both directions.When I restart racoon on both sides I have traffic but after some time this stops while tunnel status still shows up.

We use the special hyper-v 2.1 build.

Lex

normanu

@lexl:

We have the same problem, tunnel is up but no traffic in both directions.When I restart racoon on both sides I have traffic but after some time this stops while tunnel status still shows up.

We use the special hyper-v 2.1 build.

Lex

silly question, but did you add a rule in the firewall for the VPN interface which allows all traffic ?

lexl

Yes, I have a rule to allow all traffic on the ipsec interface.

And in fact at times it works for a while but then traffic stops but tunnel status still show connected on both sides.
When I restart racoon on both sides the tunnel gets connected but maybe in 1 out of 10 times I have traffic through.

Lex

lieutdan13

Have you resolved this issue? I am seeing the same symptoms.

mtafur.mfsac

Questions:

Is your tunnel up? (verify in the IPSec Status / Logs).
HAve you created the rule for IPSEC (source any / desto: any)?

I had to créate two additional rules in the LAN tab, with source: local subnet / desto: remote subnet and vice versa.

That way I had it working.

lieutdan13

@mtafur.mfsac:

Questions:

Is your tunnel up? (verify in the IPSec Status / Logs).
HAve you created the rule for IPSEC (source any / desto: any)?

I had to créate two additional rules in the LAN tab, with source: local subnet / desto: remote subnet and vice versa.

That way I had it working.

I created the rules as stated and the VPN worked for about 5 minutes. After many wasted hours of troubleshooting, I finally removed the IPSec configuration for the tunnel on both sides and started from scratch, setting them up side-by-side. The tunnels have now been working for a few hours without any issues whatsoever. I will give it the weekend before I am confident.