Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help Please: Phase 2 Tunnels are down

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      frostmir
      last edited by

      Hello Everyone,

      I need help on this. Our Phase 2 VPN tunnel is currently down. I dont realy have knowledge about IPSec. I am just basing from the internet to browse any infor about pFsense. I do not know what causes the Phase 2 VPN tunnel to unable to establish its connection to our another site. Usually if I restarted the IPSec Service and the VPN tunnels it should now turn its connection UP but today it cant. I have included the IPSec logs for your review.

      Thanks

      IMAGE.JPG
      IMAGE.JPG_thumb

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You can see there that your config doesn't match, configured proposals vs. received proposals. You have PFS enabled on one side and disabled on the other.

        1 Reply Last reply Reply Quote 0
        • F
          frostmir
          last edited by

          Hi,

          Thanks a lot for responding

          I restarted our pfSense Virtual Router and the Phase 2 VPN tunnels went up.

          We always encountered this kind of problem. What can we do to resolve this kind of problem once the problem occurs again. I mean we cannot always restart the pfSense if there can be an another way to avoid total outage on the router.

          Please advise.

          Regards

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            The configuration didn't match at the time, that didn't change by rebooting. It appears maybe when the remote end is initiator, it uses a config that doesn't match your end's config. But as responder, it accepts your configured settings. When you reboot, the stop of strongswan sends a DELETE to the remote, then when it boots back up, your end is going to initiate before the remote does.

            You'll need to make sure the config on the remote end matches your PFS settings, as it did not in the logs you posted and that's why it was failing.

            1 Reply Last reply Reply Quote 0
            • F
              frostmir
              last edited by

              The other end of our tunnel is actually using a Sophos Firewall for our VPN connection. Can I do something else to get rid of it when the VPN phase 2 went down again? Do we have to make some reconfiguration on both ends or its as is that the following firewalls are not really compatible?

              Regards

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                They're compatible, the config just has to match. Verify the PFS configuration, it's clear you have a config mismatch there which the Sophos doesn't seem to care about when you initiate to it.

                1 Reply Last reply Reply Quote 0
                • F
                  frostmir
                  last edited by

                  Thanks a lot then. This solves my problem.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.