Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intermittent Disconnects of IPSEC Tunnel

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      IanBZa
      last edited by

      Hi,

      We have a strange occurrence where our IPSEc tunnel disconnects at odd intervals with the following errors:

      Dec 16 09:56:49 charon 05[NET] <con1|159>sending packet: from LocalPublicIP[500] to RemotePublicIP[500] (68 bytes)
      Dec 16 09:56:49 charon 05[ENC] <con1|159>generating CREATE_CHILD_SA response 62 [ N(TS_UNACCEPT) ]
      Dec 16 09:56:49 charon 05[IKE] <con1|159>failed to establish CHILD_SA, keeping IKE_SA
      Dec 16 09:56:49 charon 05[IKE] <con1|159>traffic selectors 10.0.64.1/32|/0[icmp/0] 10.0.64.1/32|/0 === 172.25.48.36/32|/0[icmp/0] 172.25.48.36/32|/0 inacceptable
      Dec 16 09:56:49 charon 05[IKE] <con1|159>received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
      Dec 16 09:56:49 charon 05[ENC] <con1|159>parsed CREATE_CHILD_SA request 62 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
      Dec 16 09:56:49 charon 05[NET] <con1|159>received packet: from RemotePublicIP[500] to 197.189.240.201[500] (220 bytes)
      Dec 16 09:56:48 charon 11[NET] <con1|159>sending packet: from LocalPublicIP[500] to 41.223.117.209[500] (68 bytes)
      Dec 16 09:56:48 charon 11[ENC] <con1|159>generating CREATE_CHILD_SA response 61 [ N(TS_UNACCEPT) ]
      Dec 16 09:56:48 charon 11[IKE] <con1|159>failed to establish CHILD_SA, keeping IKE_SA

      This just repeats and repeats. To resolve we stop and restart IPSEC and its works fine there after for a random interval. The strange thing is there is another IPSEC connection to a different provider which doesnt drop.

      We are connecting to a: Huawei Firewall from PFSense 2.3.2

      Any ideas why this happens? Apologies if this is a stupid question :)

      Thanks
      Ian</con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159></con1|159>

      1 Reply Last reply Reply Quote 0
      • G Offline
        gerdesj
        last edited by

        @IanBZa:

        traffic selectors 10.0.64.1/32|/0[icmp/0] 10.0.64.1/32|/0 === 172.25.48.36/32|/0[icmp/0] 172.25.48.36/32|/0 inacceptable

        To me the above looks like your error.  If those IP addresses are the internal IPs of your firewall then that could be an attempt by the other end to form an additional phase 2.  Anyway in the absence of anything concrete, double check your phase 2 settings at both ends especially network addresses and subnet masks.

        1 Reply Last reply Reply Quote 0
        • I Offline
          IanBZa
          last edited by

          Thanks Jon - I'll get them to confirm from their end and see if I can spot any misconfigurations.

          As a side note, it hasnt dropped since I posted this message, but there have been no configuration changes - so very strange :)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.