Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Only 1 IPSec VPN Tunnel Can be UP at a Time

    IPsec
    3
    21
    729
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      samyboyz last edited by

      Hi,

      I know my tunnels are working as they work one at a time, but when both are enabled in pfsense, only 1st one enabled works…does this make sense?

      Thx

      1 Reply Last reply Reply Quote 0
      • dotdash
        dotdash last edited by

        No. Makes no sense unless the phase2's are the same.

        1 Reply Last reply Reply Quote 0
        • S
          samyboyz last edited by

          Hi,

          Yes both tunnel phase 2 are the same..

          I was not aware this would be an issue?

          1 Reply Last reply Reply Quote 0
          • dotdash
            dotdash last edited by

            It routes the traffic by matching the phase2, so if you have two that match, it doesn't know which one to use. If you have two remote sites with the same subnet, you need to binat, or change the subnet for one site.

            1 Reply Last reply Reply Quote 0
            • S
              samyboyz last edited by

              Hi,

              All sites have different IP sets:

              192.168.0.0
              192.168.2.0
              192.168.50.0

              Subnet on all is 255.255.255.0

              I get all 3 sites up for a while, come back to work and 2 out of 3 are down…I managed to get 2 out of 3 up, 3rd one is exactly same phase 1 and 2 as another one running but i get

              ![Screen Shot 02-18-18 at 05.00 PM.JPG](/public/imported_attachments/1/Screen Shot 02-18-18 at 05.00 PM.JPG)
              ![Screen Shot 02-18-18 at 05.00 PM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-18-18 at 05.00 PM.JPG_thumb)

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Then why would your P2s be the same on multiple sites if those networks are not reachable on that tunnel?

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  samyboyz last edited by

                  Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes…I delete the settings on the pfsense side, re-create them exactly the same and it works again, as if there was a bug somewhere..

                  1 Reply Last reply Reply Quote 0
                  • dotdash
                    dotdash last edited by

                    @Sarven:

                    Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes…

                    Why are you doing that? It's probably causing the SA to become invalid on one side and not the other.
                    Try clearing both sides before you re-connect. Creating a new connection likely just gets the two sides to agree on a new SA.

                    1 Reply Last reply Reply Quote 0
                    • S
                      samyboyz last edited by

                      I understand, yet what i don't understand is why one of the tunnels stopped working on its own? I had 2 working tunnels right before i left the office, one of them stopped working and now won't reconnect :(

                      ![Screen Shot 02-19-18 at 09.57 PM.JPG](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG)
                      ![Screen Shot 02-19-18 at 09.57 PM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG_thumb)

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        This is a pfSense forum. What does the pfSense side think?

                        Chattanooga, Tennessee, USA
                        The pfSense Book is free of charge!
                        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • S
                          samyboyz last edited by

                          Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
                          Feb 20 00:08:12 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 3717885545 [ HASH N(DPD) ]
                          Feb 20 00:08:12 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
                          Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
                          Feb 20 00:08:12 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
                          Feb 20 00:08:12 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 2002702379 [ HASH N(DPD_ACK) ]
                          Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
                          Feb 20 00:08:12 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
                          Feb 20 00:08:12 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
                          Feb 20 00:08:12 charon 06[ENC] <4795> could not decrypt payloads
                          Feb 20 00:08:12 charon 06[IKE] <4795> message parsing failed
                          Feb 20 00:08:12 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 1589880556 [ HASH N(PLD_MAL) ]
                          Feb 20 00:08:12 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
                          Feb 20 00:08:12 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
                          Feb 20 00:08:20 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
                          Feb 20 00:08:20 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
                          Feb 20 00:08:20 charon 06[ENC] <4795> could not decrypt payloads
                          Feb 20 00:08:20 charon 06[IKE] <4795> message parsing failed
                          Feb 20 00:08:20 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 3774258457 [ HASH N(PLD_MAL) ]
                          Feb 20 00:08:20 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
                          Feb 20 00:08:20 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>sending DPD request
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>queueing ISAKMP_DPD task
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
                          Feb 20 00:08:22 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 2948983483 [ HASH N(DPD) ]
                          Feb 20 00:08:22 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
                          Feb 20 00:08:22 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
                          Feb 20 00:08:22 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 545605263 [ HASH N(DPD_ACK) ]
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>sending DPD request
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>queueing ISAKMP_DPD task
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating ISAKMP_DPD task
                          Feb 20 00:08:32 charon 12[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 4259553075 [ HASH N(DPD) ]
                          Feb 20 00:08:32 charon 12[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
                          Feb 20 00:08:32 charon 12[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
                          Feb 20 00:08:32 charon 12[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 3826683002 [ HASH N(DPD_ACK) ]
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
                          Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
                          Feb 20 00:08:34 charon 12[JOB] <4795> deleting half open IKE_SA with 70.53.184.37 after timeout
                          Feb 20 00:08:34 charon 12[IKE] <4795> IKE_SA (unnamed)[4795] state change: CONNECTING => DESTROYING</con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784>

                          1 Reply Last reply Reply Quote 0
                          • Derelict
                            Derelict LAYER 8 Netgate last edited by

                            Looks like one side is failing and the other doesn't know it.

                            You'll probably have to post the IKE and IPsec configurations from both sides.

                            Are you trying to get two tunnels up between the same two endpoints?

                            Chattanooga, Tennessee, USA
                            The pfSense Book is free of charge!
                            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • S
                              samyboyz last edited by

                              Funny thing is the tunnel worked until it stopped working on its own..i wanna get 3 tunnels to 3 different sites with all of them setup on Zyxel routers. I manage to get all 3 up, then they drop like flies lol

                              Attached are config details:

                              ![Screen Shot 02-20-18 at 11.28 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG)
                              ![Screen Shot 02-20-18 at 11.28 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG_thumb)
                              ![Screen Shot 02-20-18 at 11.29 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG)
                              ![Screen Shot 02-20-18 at 11.29 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG_thumb)
                              ![Screen Shot 02-20-18 at 11.31 AM 001.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG)
                              ![Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb)
                              ![Screen Shot 02-20-18 at 11.31 AM 002.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG)
                              ![Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb)
                              ![Screen Shot 02-20-18 at 11.31 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG)
                              ![Screen Shot 02-20-18 at 11.31 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG_thumb)

                              1 Reply Last reply Reply Quote 0
                              • Derelict
                                Derelict LAYER 8 Netgate last edited by

                                That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

                                And please change the PSK. :)

                                Chattanooga, Tennessee, USA
                                The pfSense Book is free of charge!
                                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • dotdash
                                  dotdash last edited by

                                  I do not understand what you are doing with the identifiers on the pfsense p1.
                                  Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    samyboyz last edited by

                                    Hi! Thanks for helping me out, i appreciate it! :)

                                    I did disable re-key, but no dices..say i delete the pfsense side and re-create exactly, it will work..very weird

                                    @Derelict:

                                    That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

                                    And please change the PSK. :)

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      samyboyz last edited by

                                      Hi,

                                      DNS or 0.0.0.0, as long as the values match on both sides, i think we ok if i'm not mistaken.

                                      @dotdash:

                                      I do not understand what you are doing with the identifiers on the pfsense p1.
                                      Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        samyboyz last edited by

                                        Disabling NAT Traversal on all tunnels except for the one that had it enabled and was working fixed the issue, all 4 tunnels are working now…

                                        I'm confused as to why though..

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          samyboyz last edited by

                                          Any reason why tunnels like freeze and rekey every 6-7min?

                                          1 Reply Last reply Reply Quote 0
                                          • dotdash
                                            dotdash last edited by

                                            @Sarven:

                                            Any reason why tunnels like freeze and rekey every 6-7min?

                                            You seem confident that it has nothing to do with using a wildcard that matches anything for your identifiers. That's all I got, so good luck.

                                            1 Reply Last reply Reply Quote 0
                                            • S
                                              samyboyz last edited by

                                              Thanks Buddy

                                              1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post