Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Site-to-site: tunnel drops randomly

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 975 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      avmagrini
      last edited by

      Good morning, friends!
      I'm using pfSense 2.3.3-p1 and my Site-to-Site IPSec VPN tunnels are dropping randomly. They work well most of the time, but they disconnect from nothing without any apparent cause. Log entries:

      Apr 24 11:33:09 charon 04[IKE] <con1|78>QUICK_MODE response with message ID 1729169611 processing failed
      Apr 24 11:33:09 charon 04[NET] <con1|78>sending packet: from LOCAL_IP[500] to REMOTE_IP[500] (76 bytes)
      Apr 24 11:33:09 charon 04[ENC] <con1|78>generating INFORMATIONAL_V1 request 2645727190 [ HASH N(PLD_MAL) ]
      Apr 24 11:33:09 charon 04[IKE] <con1|78>message parsing failed
      Apr 24 11:33:09 charon 04[ENC] <con1|78>could not decrypt payloads
      Apr 24 11:33:09 charon 04[ENC] <con1|78>invalid HASH_V1 payload length, decryption failed?
      Apr 24 11:33:09 charon 04[NET] <con1|78>received packet: from REMOTE_IP[500] to LOCAL_IP[500] (364 bytes)
      Apr 24 11:33:08 charon 15[IKE] <con2|77>QUICK_MODE response with message ID 3788287187 processing failed
      Apr 24 11:33:08 charon 15[NET] <con2|77>sending packet: from LOCAL_IP[500] to REMOTE_IP[500] (76 bytes)
      Apr 24 11:33:08 charon 15[ENC] <con2|77>generating INFORMATIONAL_V1 request 3938840325 [ HASH N(PLD_MAL) ]
      Apr 24 11:33:08 charon 15[IKE] <con2|77>message parsing failed
      Apr 24 11:33:08 charon 15[ENC] <con2|77>could not decrypt payloads
      Apr 24 11:33:08 charon 15[ENC] <con2|77>invalid HASH_V1 payload length, decryption failed?
      Apr 24 11:33:08 charon 15[NET] <con2|77>received packet: from REMOTE_IP[500] to LOCAL_IP[500] (364 bytes)

      When the problem happens, I simply go into the status of IPSec and reconnect the tunnels and they work normally. After reconnecting, I see the following entries in the log:

      Apr 24 11:59:41 charon 10[KNL] <con1|80>unable to query SAD entry with SPI 1a5ebbe4: No such file or directory (2)
      Apr 24 11:59:41 charon 10[KNL] <con2|79>unable to query SAD entry with SPI a15086fd: No such file or directory (2)

      Has anyone been through this and can give me a hand, please?
      Thank you!</con2|79></con1|80></con2|77></con2|77></con2|77></con2|77></con2|77></con2|77></con2|77></con1|78></con1|78></con1|78></con1|78></con1|78></con1|78></con1|78>

      1 Reply Last reply Reply Quote 0
      • S
        Sharaz
        last edited by

        next time, check to see if you have 0 bytes in one direction.

        Jonathan

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.