Help Please: Phase 2 Tunnels are down



  • Hello Everyone,

    I need help on this. Our Phase 2 VPN tunnel is currently down. I dont realy have knowledge about IPSec. I am just basing from the internet to browse any infor about pFsense. I do not know what causes the Phase 2 VPN tunnel to unable to establish its connection to our another site. Usually if I restarted the IPSec Service and the VPN tunnels it should now turn its connection UP but today it cant. I have included the IPSec logs for your review.

    Thanks




  • You can see there that your config doesn't match, configured proposals vs. received proposals. You have PFS enabled on one side and disabled on the other.



  • Hi,

    Thanks a lot for responding

    I restarted our pfSense Virtual Router and the Phase 2 VPN tunnels went up.

    We always encountered this kind of problem. What can we do to resolve this kind of problem once the problem occurs again. I mean we cannot always restart the pfSense if there can be an another way to avoid total outage on the router.

    Please advise.

    Regards



  • The configuration didn't match at the time, that didn't change by rebooting. It appears maybe when the remote end is initiator, it uses a config that doesn't match your end's config. But as responder, it accepts your configured settings. When you reboot, the stop of strongswan sends a DELETE to the remote, then when it boots back up, your end is going to initiate before the remote does.

    You'll need to make sure the config on the remote end matches your PFS settings, as it did not in the logs you posted and that's why it was failing.



  • The other end of our tunnel is actually using a Sophos Firewall for our VPN connection. Can I do something else to get rid of it when the VPN phase 2 went down again? Do we have to make some reconfiguration on both ends or its as is that the following firewalls are not really compatible?

    Regards



  • They're compatible, the config just has to match. Verify the PFS configuration, it's clear you have a config mismatch there which the Sophos doesn't seem to care about when you initiate to it.



  • Thanks a lot then. This solves my problem.


Log in to reply