Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.3.2 - phase gets disconnected and reconnected with a wrong REMOTE ID

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      Erik_Launay
      last edited by

      Hi

      I'm having an issue with 1 of my phase 2:

      1. I created the following phase 2:
        see "phase 2 (1).jpg"

      2. The phase 2 goes up and I can ping 166.34.110.141
        see "phase 2 as expected.jpg"
        I have declare in my phase 2, remote Network = 166.34.110.128/27 and as you can see REMOTE ID = 166.34.110.128/27

      3. After a while, the phase 2 gets disconnected and re-connected, but wrongly:
        see "phase 2 wrong.jpg"

      the phase 2 is wrong, I have declare in my phase 2, remote Network = 166.34.110.128/27 but as you can see I have now REMOTE ID = 166.34.110.146/32
      So of course, I can't access any device behind this VPN as the REMOTE ID is wrong

      I have attached the logs from PFSENSE, see "log.txt"

      Any idea why?

      Thank you in advance

      ![phase 2 as expected.jpg_thumb](/public/imported_attachments/1/phase 2 as expected.jpg_thumb)
      ![phase 2 as expected.jpg](/public/imported_attachments/1/phase 2 as expected.jpg)
      ![phase 2 wrong.jpg](/public/imported_attachments/1/phase 2 wrong.jpg)
      ![phase 2 (1).jpg_thumb](/public/imported_attachments/1/phase 2 (1).jpg_thumb)
      ![phase 2 wrong.jpg_thumb](/public/imported_attachments/1/phase 2 wrong.jpg_thumb)
      ![phase 2 (1).jpg](/public/imported_attachments/1/phase 2 (1).jpg)
      log.txt

      1 Reply Last reply Reply Quote 0
      • E Offline
        Erik_Launay
        last edited by

        @Erik_Launay:

        Hi

        I'm having an issue with 1 of my phase 2:

        1. I created the following phase 2:
          see "phase 2 (1).jpg"

        2. The phase 2 goes up and I can ping 166.34.110.141
          see "phase 2 as expected.jpg"
          I have declare in my phase 2, remote Network = 166.34.110.128/27 and as you can see REMOTE ID = 166.34.110.128/27

        3. After a while, the phase 2 gets disconnected and re-connected, but wrongly:
          see "phase 2 wrong.jpg"

        the phase 2 is wrong, I have declare in my phase 2, remote Network = 166.34.110.128/27 but as you can see I have now REMOTE ID = 166.34.110.146/32
        So of course, I can't access any device behind this VPN as the REMOTE ID is wrong

        I have attached the logs from PFSENSE, see "log.txt"

        Any idea why?

        Thank you in advance

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          It looks like the other side is asking for all kinds of different stuff:

          Sep 27 14:21:05 charon          03[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 106.40.22.0/24|/0
          Sep 27 14:21:05 charon          03[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 192.168.66.0/24|/0
          Sep 27 14:21:05 charon          11[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 192.168.77.8/29|/0
          Sep 27 14:21:05 charon          15[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 192.168.66.0/24|/0
          Sep 27 14:21:05 charon          11[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 106.40.22.192/27|/0
          Sep 27 14:21:05 charon          14[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 166.34.71.59|..166.34.71.63|
          Sep 27 14:21:05 charon          11[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 106.40.19.99/32|/0
          Sep 27 14:21:05 charon          15[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 106.40.22.204/32|/0
          Sep 27 14:21:05 charon          12[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.38.213.139/32|/0
          Sep 27 14:21:05 charon          03[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.38.213.151/32|/0
          Sep 27 14:21:05 charon          06[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 106.40.22.170/32|/0
          Sep 27 14:21:05 charon          10[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.34.71.59|..166.34.71.63|
          Sep 27 14:21:05 charon          09[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.34.127.229/32|/0
          Sep 27 14:21:05 charon          08[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.38.97.225/32|/0
          Sep 27 14:21:05 charon          05[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.38.97.229/32|/0
          Sep 27 14:21:05 charon          07[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 192.168.66.78/32|/0
          Sep 27 14:21:05 charon          13[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 106.40.227.30/32|/0
          Sep 27 14:21:05 charon          07[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.38.97.236/32|/0
          Sep 27 14:21:05 charon          13[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 106.40.22.210/32|/0
          Sep 27 14:21:05 charon          13[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 106.40.22.192/27|/0
          Sep 27 14:21:04 charon          05[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 11.254.1.224/28|/0
          Sep 27 14:21:04 charon          05[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 106.40.226.19/32|/0
          Sep 27 14:21:04 charon          08[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 192.168.77.14/32|/0
          Sep 27 14:21:04 charon          07[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 106.40.226.20/32|/0
          Sep 27 14:21:04 charon          11[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.34.110.146/32|/0
          Sep 27 14:21:04 charon          09[CFG] <con4000|2272>looking for a child config for 38.96.246.83/32|/0 === 166.38.213.151/32|/0
          Sep 27 14:21:03 charon          09[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 4.50.100.1/32|/0
          Sep 27 14:21:03 charon          05[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 10.255.255.34/32|/0
          Sep 27 14:21:03 charon          10[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.34.110.128/27|/0
          Sep 27 14:21:03 charon          08[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 10.10.221.0/24|/0
          Sep 27 14:21:03 charon          14[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 192.168.8.70/32|/0
          Sep 27 14:21:03 charon          07[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 11.254.1.237/32|/0
          Sep 27 14:21:03 charon          11[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 192.168.67.81/32|/0

          This one in particular stands out:

          Sep 27 14:21:03 charon          10[CFG] <con4000|2272>looking for a child config for 38.96.246.84/32|/0 === 166.34.110.128/27|/0

          Correct remote subnet, incorrect local address.

          When you have the P2 active for 166.34.110.146/32 what is logged when you generate traffic from something on 192.168.40.0/24 to something in 166.34.110.128/27 that isn't 166.34.110.142?</con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272></con4000|2272>

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • E Offline
            Erik_Launay
            last edited by

            Thank you very much.
            I don't understand where the .84 is coming from (we should have only .83), I'll check with the guy in charge of the firewall on the other site.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.