IPSEC fails after Restore to new Hardware



  • Hello everyone,

    I am testing disaster recovery processes, and one is to confirm the ablity to replace a dead router.

    After taking a fresh backup, I installed the same pfsense version (2.3.3) to new hardware and then did a restore.
    Internet is up, firewalls & port forwards all work but . . . IPSEC refuses to connect to the other branch.

    If I swap back to the original router the tunnels come up and traffic passes as expected.
    Back to the new router, and I even tried deleting the IPSEC details and recreating from scratch.
    Also, I remotely rebooted the router at the other end, but still no go.

    It is almost as if its peer (another pfsense router) knows something is different???

    IPSEC is Static IP4 to Static IP4 using Mutual PSK
    P1: Encryption is AES128-GCM, SHA1, DH Group 2, Dead Peer Detection Enabled
    P2: Protocol ESP, Encryption AES128-GCM, SHA1

    System Log –> IPSEC Shows:

    Mar 6 14:19:31 charon 16[IKE] <con2|1>retransmit 1 of request with message ID 0
    Mar 6 14:19:31 charon 16[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
    Mar 6 14:19:33 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
    Mar 6 14:19:39 charon 16[IKE] <con2|1>retransmit 2 of request with message ID 0
    Mar 6 14:19:39 charon 16[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
    Mar 6 14:19:48 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
    Mar 6 14:19:48 charon 05[CFG] ignoring acquire, connection attempt pending
    Mar 6 14:19:52 charon 05[IKE] <con2|1>retransmit 3 of request with message ID 0
    Mar 6 14:19:52 charon 05[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
    Mar 6 14:19:56 charon 05[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
    Mar 6 14:19:56 charon 16[CFG] ignoring acquire, connection attempt pending
    Mar 6 14:20:15 charon 16[IKE] <con2|1>retransmit 4 of request with message ID 0
    Mar 6 14:20:15 charon 16[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
    Mar 6 14:20:17 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
    Mar 6 14:20:17 charon 14[CFG] ignoring acquire, connection attempt pending
    Mar 6 14:20:38 charon 16[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
    Mar 6 14:20:38 charon 13[CFG] ignoring acquire, connection attempt pending
    Mar 6 14:20:57 charon 09[IKE] <con2|1>retransmit 5 of request with message ID 0
    Mar 6 14:20:57 charon 09[NET] <con2|1>sending packet: from 203.49.236.246[500] to 223.252.22.77[500] (328 bytes)
    Mar 6 14:20:58 charon 09[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
    Mar 6 14:20:58 charon 12[CFG] ignoring acquire, connection attempt pending
    Mar 6 14:21:00 charon 12[KNL] creating acquire job for policy 203.49.236.246/32|/0 === 223.252.22.77/32|/0 with reqid {3}
    Mar 6 14:21:00 charon 09[CFG] ignoring acquire, connection attempt pending

    Thank you in advance for any help</con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1></con2|1>



  • I have logged into the router at the other end, and it has almost the same messages (over & over) in the IPSEC log:

    Mar 6 16:30:12 charon 05[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
    Mar 6 16:30:12 charon 05[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
    Mar 6 16:30:12 charon 06[CFG] ignoring acquire, connection attempt pending
    Mar 6 16:30:12 charon 06[CFG] ignoring acquire, connection attempt pending
    Mar 6 16:30:14 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
    Mar 6 16:30:14 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
    Mar 6 16:30:14 charon 13[CFG] ignoring acquire, connection attempt pending
    Mar 6 16:30:14 charon 13[CFG] ignoring acquire, connection attempt pending
    Mar 6 16:30:17 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
    Mar 6 16:30:17 charon 06[KNL] creating acquire job for policy 223.252.22.77/32|/0 === 203.49.236.246/32|/0 with reqid {3}
    Mar 6 16:30:17 charon 05[CFG] ignoring acquire, connection attempt pending
    Mar 6 16:30:17 charon 05[CFG] ignoring acquire, connection attempt pending

    Maybe I need to change the level of logging?
    Or need to look at a different log?

    Also in the IPSEC Status screen I can see the connecting trying twice in parallel (see attached image)