Only 1 IPSec VPN Tunnel Can be UP at a Time

samyboyz

I understand, yet what i don't understand is why one of the tunnels stopped working on its own? I had 2 working tunnels right before i left the office, one of them stopped working and now won't reconnect :(

![Screen Shot 02-19-18 at 09.57 PM.JPG](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG)
![Screen Shot 02-19-18 at 09.57 PM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG_thumb)

Derelict

This is a pfSense forum. What does the pfSense side think?

samyboyz

Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
Feb 20 00:08:12 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 3717885545 [ HASH N(DPD) ]
Feb 20 00:08:12 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:12 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:12 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 2002702379 [ HASH N(DPD_ACK) ]
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:12 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
Feb 20 00:08:12 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
Feb 20 00:08:12 charon 06[ENC] <4795> could not decrypt payloads
Feb 20 00:08:12 charon 06[IKE] <4795> message parsing failed
Feb 20 00:08:12 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 1589880556 [ HASH N(PLD_MAL) ]
Feb 20 00:08:12 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
Feb 20 00:08:12 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
Feb 20 00:08:20 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
Feb 20 00:08:20 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
Feb 20 00:08:20 charon 06[ENC] <4795> could not decrypt payloads
Feb 20 00:08:20 charon 06[IKE] <4795> message parsing failed
Feb 20 00:08:20 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 3774258457 [ HASH N(PLD_MAL) ]
Feb 20 00:08:20 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
Feb 20 00:08:20 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>sending DPD request
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>queueing ISAKMP_DPD task
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
Feb 20 00:08:22 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 2948983483 [ HASH N(DPD) ]
Feb 20 00:08:22 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:22 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:22 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 545605263 [ HASH N(DPD_ACK) ]
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>sending DPD request
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>queueing ISAKMP_DPD task
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating ISAKMP_DPD task
Feb 20 00:08:32 charon 12[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 4259553075 [ HASH N(DPD) ]
Feb 20 00:08:32 charon 12[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:32 charon 12[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:32 charon 12[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 3826683002 [ HASH N(DPD_ACK) ]
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:34 charon 12[JOB] <4795> deleting half open IKE_SA with 70.53.184.37 after timeout
Feb 20 00:08:34 charon 12[IKE] <4795> IKE_SA (unnamed)[4795] state change: CONNECTING => DESTROYING</con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784>

Derelict

Looks like one side is failing and the other doesn't know it.

You'll probably have to post the IKE and IPsec configurations from both sides.

Are you trying to get two tunnels up between the same two endpoints?

samyboyz

Funny thing is the tunnel worked until it stopped working on its own..i wanna get 3 tunnels to 3 different sites with all of them setup on Zyxel routers. I manage to get all 3 up, then they drop like flies lol

Attached are config details:

![Screen Shot 02-20-18 at 11.28 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG)
![Screen Shot 02-20-18 at 11.28 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG_thumb)
![Screen Shot 02-20-18 at 11.29 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG)
![Screen Shot 02-20-18 at 11.29 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG_thumb)
![Screen Shot 02-20-18 at 11.31 AM 001.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG)
![Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb)
![Screen Shot 02-20-18 at 11.31 AM 002.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG)
![Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb)
![Screen Shot 02-20-18 at 11.31 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG)
![Screen Shot 02-20-18 at 11.31 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG_thumb)

Derelict

That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

And please change the PSK. :)

dotdash

I do not understand what you are doing with the identifiers on the pfsense p1.
Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0

samyboyz

Hi! Thanks for helping me out, i appreciate it! :)

I did disable re-key, but no dices..say i delete the pfsense side and re-create exactly, it will work..very weird

@Derelict:

That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

And please change the PSK. :)

samyboyz

Hi,

DNS or 0.0.0.0, as long as the values match on both sides, i think we ok if i'm not mistaken.

@dotdash:

I do not understand what you are doing with the identifiers on the pfsense p1.
Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0

samyboyz

Disabling NAT Traversal on all tunnels except for the one that had it enabled and was working fixed the issue, all 4 tunnels are working now…

I'm confused as to why though..

samyboyz

Any reason why tunnels like freeze and rekey every 6-7min?

dotdash

@Sarven:

Any reason why tunnels like freeze and rekey every 6-7min?

You seem confident that it has nothing to do with using a wildcard that matches anything for your identifiers. That's all I got, so good luck.

samyboyz

Thanks Buddy