Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Phase2 entries does not seem to work in IPSec.

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 543 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sabinlal28
      last edited by

      I have 2 phase 2 entries but only one works at a time . Some time both p2 works but i am not sure why this happens.

      Listening IP addresses:
      X.X.X.X
      X.X.X.X
      X.X.X.X
      Connections:
      con1000: X.X.X.X...X.X.X.X IKEv2
      con1000: local: [X.X.X.X] uses pre-shared key authentication
      con1000: remote: [X.X.X.X] uses pre-shared key authentication
      con1000: child: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0 TUNNEL
      con1001: child: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0 TUNNEL
      Routed Connections:
      con1001{28}: ROUTED, TUNNEL, reqid 3
      con1001{28}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0
      con1000{27}: ROUTED, TUNNEL, reqid 1
      con1000{27}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0
      Security Associations (2 up, 0 connecting):
      con1000[3]: ESTABLISHED 11 minutes ago, X.X.X.X[X.X.X.X]...X.X.X.X[X.X.X.X]
      con1000[3]: IKEv2 SPIs: 01129db8f2a17834_i* 9698e672f3e59914_r, pre-shared key reauthentication in 23 hours
      con1000[3]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      con1000{30}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: ceca2dee_i db4e1d4f_o
      con1000{30}: AES_CBC_256/HMAC_SHA2_256_128, 868 bytes_i (16 pkts, 703s ago), 1760 bytes_o (16 pkts, 421s ago), rekeying in 7 hours
      con1000{30}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0
      con1000[2]: ESTABLISHED 11 minutes ago, X.X.X.X[X.X.X.X]...X.X.X.X[X.X.X.X]
      con1000[2]: IKEv2 SPIs: 730214bbab75ff3a_i* 3d9b52be6f436a7f_r, pre-shared key reauthentication in 23 hours
      con1000[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
      con1001{29}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c1830a7a_i 1042387a_o
      con1001{29}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 8060 bytes_o (69 pkts, 429s ago), rekeying in 7 hours
      con1001{29}: X.X.X.X/32|X.X.X.X/32 === X.X.X.X/32|/0

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You've masked out too much information. So much that it's impossible to tell what might be happening.

        Are you using NAT on these? On both? Are both using the same NAT address and remote network?

        If you could try it again but use a unique value corresponding to each address involved that would help.

        If you are natting on both, that's sort of a known issue. (a.a.a.a NAT to b.b.b.b, remote z.z.z.z + a.a.a.c NAT to b.b.b.b, remote z.z.z.z), since to the other side it looks like one single P2 so it won't necessarily establish a new one.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          sabinlal28
          last edited by

          Listening IP addresses:
          y.y.y.y
          172.31.1.60
          10.10.10.1
          Connections:
          con1000: y.y.y.y...x.x.x.x IKEv2
          con1000: local: [y.y.y.y] uses pre-shared key authentication
          con1000: remote: [x.x.x.x] uses pre-shared key authentication
          con1000: child: 10.255.68.201/32|172.31.1.91/32 === 172.25.116.79/32|/0 TUNNEL
          con1001: child: 10.255.68.201/32|172.31.1.91/32 === 172.29.116.71/32|/0 TUNNEL
          Routed Connections:
          con1001{3}: ROUTED, TUNNEL, reqid 3
          con1001{3}: 10.255.68.201/32|172.31.1.91/32 === 172.29.116.71/32|/0
          con1000{2}: ROUTED, TUNNEL, reqid 2
          con1000{2}: 10.255.68.201/32|172.31.1.91/32 === 172.25.116.79/32|/0
          Security Associations (2 up, 0 connecting):
          con1000[2]: ESTABLISHED 17 minutes ago, y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
          con1000[2]: IKEv2 SPIs: 992902db969bef38_i* 32014dd909ca69e2_r, pre-shared key reauthentication in 23 hours
          con1000[2]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
          con1001{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c1cff00b_i 700aa3d1_o
          con1001{5}: AES_CBC_256/HMAC_SHA2_256_128, 1064 bytes_i (20 pkts, 1057s ago), 2224 bytes_o (20 pkts, 115s ago), rekeying in 7 hours
          con1001{5}: 10.255.68.201/32|172.31.1.91/32 === 172.29.116.71/32|/0
          con1000[1]: ESTABLISHED 17 minutes ago, y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
          con1000[1]: IKEv2 SPIs: 1fb87f4e5e23c80a_i* 117b188b169c98e2_r, pre-shared key reauthentication in 23 hours
          con1000[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
          con1000{4}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cda1876b_i 842a4278_o
          con1000{4}: AES_CBC_256/HMAC_SHA2_256_128, 868 bytes_i (16 pkts, 1056s ago), 1760 bytes_o (16 pkts, 1015s ago), rekeying in 7 hours
          con1000{4}: 10.255.68.201/32|172.31.1.91/32 === 172.25.116.79/32|/0

          x.x.x.x => remote gateway

          y.y.y.y => router gatewat

          1 Reply Last reply Reply Quote 0
          • S
            sabinlal28
            last edited by

            @jimp said in Multiple Phase2 entries does not seem to work in IPSec.:

            uld try it again but use a unique value corresponding to e

            172.31.1.60 and 10.10.10.1 ip for lan interfaces

            172.31.1.91<Nat>10.255.68.201

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.