Only 1 IPSec VPN Tunnel Can be UP at a Time



  • Hi,

    I know my tunnels are working as they work one at a time, but when both are enabled in pfsense, only 1st one enabled works…does this make sense?

    Thx



  • No. Makes no sense unless the phase2's are the same.



  • Hi,

    Yes both tunnel phase 2 are the same..

    I was not aware this would be an issue?



  • It routes the traffic by matching the phase2, so if you have two that match, it doesn't know which one to use. If you have two remote sites with the same subnet, you need to binat, or change the subnet for one site.



  • Hi,

    All sites have different IP sets:

    192.168.0.0
    192.168.2.0
    192.168.50.0

    Subnet on all is 255.255.255.0

    I get all 3 sites up for a while, come back to work and 2 out of 3 are down…I managed to get 2 out of 3 up, 3rd one is exactly same phase 1 and 2 as another one running but i get

    ![Screen Shot 02-18-18 at 05.00 PM.JPG](/public/imported_attachments/1/Screen Shot 02-18-18 at 05.00 PM.JPG)
    ![Screen Shot 02-18-18 at 05.00 PM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-18-18 at 05.00 PM.JPG_thumb)


  • Netgate

    Then why would your P2s be the same on multiple sites if those networks are not reachable on that tunnel?



  • Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes…I delete the settings on the pfsense side, re-create them exactly the same and it works again, as if there was a bug somewhere..



  • @Sarven:

    Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes…

    Why are you doing that? It's probably causing the SA to become invalid on one side and not the other.
    Try clearing both sides before you re-connect. Creating a new connection likely just gets the two sides to agree on a new SA.



  • I understand, yet what i don't understand is why one of the tunnels stopped working on its own? I had 2 working tunnels right before i left the office, one of them stopped working and now won't reconnect :(

    ![Screen Shot 02-19-18 at 09.57 PM.JPG](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG)
    ![Screen Shot 02-19-18 at 09.57 PM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG_thumb)


  • Netgate

    This is a pfSense forum. What does the pfSense side think?



  • Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
    Feb 20 00:08:12 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 3717885545 [ HASH N(DPD) ]
    Feb 20 00:08:12 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
    Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
    Feb 20 00:08:12 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
    Feb 20 00:08:12 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 2002702379 [ HASH N(DPD_ACK) ]
    Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
    Feb 20 00:08:12 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
    Feb 20 00:08:12 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
    Feb 20 00:08:12 charon 06[ENC] <4795> could not decrypt payloads
    Feb 20 00:08:12 charon 06[IKE] <4795> message parsing failed
    Feb 20 00:08:12 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 1589880556 [ HASH N(PLD_MAL) ]
    Feb 20 00:08:12 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
    Feb 20 00:08:12 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
    Feb 20 00:08:20 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
    Feb 20 00:08:20 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
    Feb 20 00:08:20 charon 06[ENC] <4795> could not decrypt payloads
    Feb 20 00:08:20 charon 06[IKE] <4795> message parsing failed
    Feb 20 00:08:20 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 3774258457 [ HASH N(PLD_MAL) ]
    Feb 20 00:08:20 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
    Feb 20 00:08:20 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>sending DPD request
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>queueing ISAKMP_DPD task
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
    Feb 20 00:08:22 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 2948983483 [ HASH N(DPD) ]
    Feb 20 00:08:22 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
    Feb 20 00:08:22 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
    Feb 20 00:08:22 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 545605263 [ HASH N(DPD_ACK) ]
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>sending DPD request
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>queueing ISAKMP_DPD task
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating ISAKMP_DPD task
    Feb 20 00:08:32 charon 12[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 4259553075 [ HASH N(DPD) ]
    Feb 20 00:08:32 charon 12[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
    Feb 20 00:08:32 charon 12[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
    Feb 20 00:08:32 charon 12[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 3826683002 [ HASH N(DPD_ACK) ]
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
    Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
    Feb 20 00:08:34 charon 12[JOB] <4795> deleting half open IKE_SA with 70.53.184.37 after timeout
    Feb 20 00:08:34 charon 12[IKE] <4795> IKE_SA (unnamed)[4795] state change: CONNECTING => DESTROYING</con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784>


  • Netgate

    Looks like one side is failing and the other doesn't know it.

    You'll probably have to post the IKE and IPsec configurations from both sides.

    Are you trying to get two tunnels up between the same two endpoints?



  • Funny thing is the tunnel worked until it stopped working on its own..i wanna get 3 tunnels to 3 different sites with all of them setup on Zyxel routers. I manage to get all 3 up, then they drop like flies lol

    Attached are config details:

    ![Screen Shot 02-20-18 at 11.28 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG)
    ![Screen Shot 02-20-18 at 11.28 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG_thumb)
    ![Screen Shot 02-20-18 at 11.29 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG)
    ![Screen Shot 02-20-18 at 11.29 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG_thumb)
    ![Screen Shot 02-20-18 at 11.31 AM 001.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG)
    ![Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb)
    ![Screen Shot 02-20-18 at 11.31 AM 002.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG)
    ![Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb)
    ![Screen Shot 02-20-18 at 11.31 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG)
    ![Screen Shot 02-20-18 at 11.31 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG_thumb)


  • Netgate

    That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

    And please change the PSK. :)



  • I do not understand what you are doing with the identifiers on the pfsense p1.
    Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0



  • Hi! Thanks for helping me out, i appreciate it! :)

    I did disable re-key, but no dices..say i delete the pfsense side and re-create exactly, it will work..very weird

    @Derelict:

    That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

    And please change the PSK. :)



  • Hi,

    DNS or 0.0.0.0, as long as the values match on both sides, i think we ok if i'm not mistaken.

    @dotdash:

    I do not understand what you are doing with the identifiers on the pfsense p1.
    Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0



  • Disabling NAT Traversal on all tunnels except for the one that had it enabled and was working fixed the issue, all 4 tunnels are working now…

    I'm confused as to why though..



  • Any reason why tunnels like freeze and rekey every 6-7min?



  • @Sarven:

    Any reason why tunnels like freeze and rekey every 6-7min?

    You seem confident that it has nothing to do with using a wildcard that matches anything for your identifiers. That's all I got, so good luck.



  • Thanks Buddy


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy