Strange this happening
I have one site that has a number of tunnels to a number of sites. One poticular site is giving me problems though. In the errr logs I am getting this.
Oct 15 22:09:43 racoon: [Jonathan]: NOTIFY: the packet is retransmitted by 78.86.187.XXX.
Oct 15 22:09:35 racoon: INFO: delete phase 2 handler.
Oct 15 22:09:35 racoon: [Jonathan]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 78.86.187.XXX->90.152.51.XXX
Oct 15 22:09:33 last message repeated 2 times
Oct 15 22:09:13 racoon: [Jonathan]: NOTIFY: the packet is retransmitted by 78.86.187.XXX.
Oct 15 22:09:04 racoon: INFO: received Vendor ID: DPD
Oct 15 22:09:04 racoon: INFO: begin Identity Protection mode.
Oct 15 22:09:04 racoon: [Jonathan]: INFO: initiate new phase 1 negotiation: 90.152.51.XXX<=>78.86.187.XXX
Oct 15 22:09:04 racoon: [Jonathan]: INFO: IPsec-SA request for 78.86.187.XXX queued due to no phase1 found.
I am getting the same thing on both sides.
In the state table I get this
As far as I can understand each site can't see each other. It is only this link causing problems though. I am able to remote control the other site so I am very confused. I have advace about NAT on just stopping the sip PBX natting that is all. Anyone know were to start on this one?
I have done some more investigating and openVPN works but ipsec still doesn't. Both pfsense is on 1.2 and still getting the error messages above. Does anyone have any idears.
After looking into this more if I delete the Tunnels and recreate them it then works fine again.
techneck last edited by
I had exactly similar errors doing multiple VPNs between the same sites, for multiple networks.
I had found some reference to using unique "My Identifier"s for each VPN, but I got the same results you're getting.
I can't find any (useful) documentation on the "My Identifier" field.
And, I've never had much luck getting it to work with anything other than setting the "My Identifier" option to "My IP Address" and leaving the field blank.
And, yes, they do temporarily work and then fail. Deleting them and recreating them can cause them to work for a while, but then they fail again, with the "NOTIFY: the packet is retransmitted" errors you show.
Only works reliably for me for a single VPN per site <-> site.
If I need multiple networks (which I do), I aggregate subnets. 10.10.0.0/16 for all 10.10.x.x.
Even if the router is only on, say, 10.10.10.0/30 it still works as long as it has static routes for each subnet you actually want.
Creating only a one way tunnel worked for me.