Only 1 IPSec VPN Tunnel Can be UP at a Time

samyboyz

Hi,

I know my tunnels are working as they work one at a time, but when both are enabled in pfsense, only 1st one enabled works…does this make sense?

Thx

dotdash

No. Makes no sense unless the phase2's are the same.

samyboyz

Hi,

Yes both tunnel phase 2 are the same..

I was not aware this would be an issue?

dotdash

It routes the traffic by matching the phase2, so if you have two that match, it doesn't know which one to use. If you have two remote sites with the same subnet, you need to binat, or change the subnet for one site.

samyboyz

Hi,

All sites have different IP sets:

192.168.0.0
192.168.2.0
192.168.50.0

Subnet on all is 255.255.255.0

I get all 3 sites up for a while, come back to work and 2 out of 3 are down…I managed to get 2 out of 3 up, 3rd one is exactly same phase 1 and 2 as another one running but i get

![Screen Shot 02-18-18 at 05.00 PM.JPG](/public/imported_attachments/1/Screen Shot 02-18-18 at 05.00 PM.JPG)
![Screen Shot 02-18-18 at 05.00 PM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-18-18 at 05.00 PM.JPG_thumb)

Derelict

Then why would your P2s be the same on multiple sites if those networks are not reachable on that tunnel?

samyboyz

Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes…I delete the settings on the pfsense side, re-create them exactly the same and it works again, as if there was a bug somewhere..

dotdash

@Sarven:

Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes…

Why are you doing that? It's probably causing the SA to become invalid on one side and not the other.
Try clearing both sides before you re-connect. Creating a new connection likely just gets the two sides to agree on a new SA.

samyboyz

I understand, yet what i don't understand is why one of the tunnels stopped working on its own? I had 2 working tunnels right before i left the office, one of them stopped working and now won't reconnect :(

![Screen Shot 02-19-18 at 09.57 PM.JPG](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG)
![Screen Shot 02-19-18 at 09.57 PM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-19-18 at 09.57 PM.JPG_thumb)

Derelict

This is a pfSense forum. What does the pfSense side think?

samyboyz

Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
Feb 20 00:08:12 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 3717885545 [ HASH N(DPD) ]
Feb 20 00:08:12 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:12 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:12 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 2002702379 [ HASH N(DPD_ACK) ]
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:12 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:12 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
Feb 20 00:08:12 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
Feb 20 00:08:12 charon 06[ENC] <4795> could not decrypt payloads
Feb 20 00:08:12 charon 06[IKE] <4795> message parsing failed
Feb 20 00:08:12 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 1589880556 [ HASH N(PLD_MAL) ]
Feb 20 00:08:12 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
Feb 20 00:08:12 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
Feb 20 00:08:20 charon 06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
Feb 20 00:08:20 charon 06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
Feb 20 00:08:20 charon 06[ENC] <4795> could not decrypt payloads
Feb 20 00:08:20 charon 06[IKE] <4795> message parsing failed
Feb 20 00:08:20 charon 06[ENC] <4795> generating INFORMATIONAL_V1 request 3774258457 [ HASH N(PLD_MAL) ]
Feb 20 00:08:20 charon 06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
Feb 20 00:08:20 charon 06[IKE] <4795> ID_PROT request with message ID 0 processing failed
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>sending DPD request
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>queueing ISAKMP_DPD task
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating ISAKMP_DPD task
Feb 20 00:08:22 charon 06[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 2948983483 [ HASH N(DPD) ]
Feb 20 00:08:22 charon 06[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:22 charon 06[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:22 charon 06[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 545605263 [ HASH N(DPD_ACK) ]
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:22 charon 06[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>sending DPD request
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>queueing ISAKMP_DPD task
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating ISAKMP_DPD task
Feb 20 00:08:32 charon 12[ENC] <con2000|4784>generating INFORMATIONAL_V1 request 4259553075 [ HASH N(DPD) ]
Feb 20 00:08:32 charon 12[NET] <con2000|4784>sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:32 charon 12[NET] <con2000|4784>received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:32 charon 12[ENC] <con2000|4784>parsed INFORMATIONAL_V1 request 3826683002 [ HASH N(DPD_ACK) ]
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>activating new tasks
Feb 20 00:08:32 charon 12[IKE] <con2000|4784>nothing to initiate
Feb 20 00:08:34 charon 12[JOB] <4795> deleting half open IKE_SA with 70.53.184.37 after timeout
Feb 20 00:08:34 charon 12[IKE] <4795> IKE_SA (unnamed)[4795] state change: CONNECTING => DESTROYING</con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784></con2000|4784>

Derelict

Looks like one side is failing and the other doesn't know it.

You'll probably have to post the IKE and IPsec configurations from both sides.

Are you trying to get two tunnels up between the same two endpoints?

samyboyz

Funny thing is the tunnel worked until it stopped working on its own..i wanna get 3 tunnels to 3 different sites with all of them setup on Zyxel routers. I manage to get all 3 up, then they drop like flies lol

Attached are config details:

![Screen Shot 02-20-18 at 11.28 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG)
![Screen Shot 02-20-18 at 11.28 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.28 AM.JPG_thumb)
![Screen Shot 02-20-18 at 11.29 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG)
![Screen Shot 02-20-18 at 11.29 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.29 AM.JPG_thumb)
![Screen Shot 02-20-18 at 11.31 AM 001.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG)
![Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 001.JPG_thumb)
![Screen Shot 02-20-18 at 11.31 AM 002.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG)
![Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM 002.JPG_thumb)
![Screen Shot 02-20-18 at 11.31 AM.JPG](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG)
![Screen Shot 02-20-18 at 11.31 AM.JPG_thumb](/public/imported_attachments/1/Screen Shot 02-20-18 at 11.31 AM.JPG_thumb)

Derelict

That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

And please change the PSK. :)

dotdash

I do not understand what you are doing with the identifiers on the pfsense p1.
Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0

samyboyz

Hi! Thanks for helping me out, i appreciate it! :)

I did disable re-key, but no dices..say i delete the pfsense side and re-create exactly, it will work..very weird

@Derelict:

That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

And please change the PSK. :)

samyboyz

Hi,

DNS or 0.0.0.0, as long as the values match on both sides, i think we ok if i'm not mistaken.

@dotdash:

I do not understand what you are doing with the identifiers on the pfsense p1.
Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0

samyboyz

Disabling NAT Traversal on all tunnels except for the one that had it enabled and was working fixed the issue, all 4 tunnels are working now…

I'm confused as to why though..

samyboyz

Any reason why tunnels like freeze and rekey every 6-7min?

dotdash

@Sarven:

Any reason why tunnels like freeze and rekey every 6-7min?

You seem confident that it has nothing to do with using a wildcard that matches anything for your identifiers. That's all I got, so good luck.