Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.6 - some IPsec phase 2 entries won't come up - how to troubleshoot?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 947 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZPrime
      last edited by

      Looking for some guidance on troubleshooting phase 2 entries that won't establish.  I have a single IKEv1 tunnel to a Palo Alto firewall.  I have a bunch of individual phase 2 SAs defined for various subnets that I need to tunnel – the PA supports "route based" VPN (i.e. each endpoint is part of a /30 or similar and you simply route various other subnets across that tunnel) but pfSense doesn't support this (as far as I'm aware?), so I have to define the individual subnets I need to reach on the remote side.

      Several of the phase 2 SAs are up and established, but at least one of them isn't coming up.  It's configured in the same manner as the others, with the same options, so I'm not sure where the problem lies here.

      What individual "services" in the IPsec settings do I need to increase logging on to help track this down?  I've turned "SA Manager" and "IKE SA" and "IKE Child SA" up to both "diag" and then "raw" and wasn't getting anything enlightening... but maybe I just don't know how to read it?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.