4. IPSec Tunnel down all of a sudden with no changes. Can access both ends.

IPSec Tunnel down all of a sudden with no changes. Can access both ends.

  • J

    So with no changes to my IPSec tunnel config (hasn't changed since I set it up months ago), it is showing as down today. My IPSec logs are showing the following:

    Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_SA con1[12] state change: CONNECTING => DESTROYING
Aug 9 10:12:29	charon		09[CHD] <con1|12> CHILD_SA con1{9} state change: CREATED => DESTROYING
Aug 9 10:12:29	charon		09[IKE] <con1|12> received AUTHENTICATION_FAILED notify error
Aug 9 10:12:29	charon		09[ENC] <con1|12> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 9 10:12:29	charon		09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] toSITE1_WAN_IP[500] (65 bytes)
Aug 9 10:12:29	charon		09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (309 bytes)
Aug 9 10:12:29	charon		09[ENC] <con1|12> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 9 10:12:29	charon		09[IKE] <con1|12> establishing CHILD_SA con1{9} reqid 2
Aug 9 10:12:29	charon		09[CFG] <con1|12> configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ
Aug 9 10:12:29	charon		09[CFG] <con1|12> 192.168.2.0/24|/0
Aug 9 10:12:29	charon		09[CFG] <con1|12> proposing traffic selectors for other:
Aug 9 10:12:29	charon		09[CFG] <con1|12> 10.0.10.0/24|/0
Aug 9 10:12:29	charon		09[CFG] <con1|12> proposing traffic selectors for us:
Aug 9 10:12:29	charon		09[IKE] <con1|12> successfully created shared key MAC
Aug 9 10:12:29	charon		09[IKE] <con1|12> authentication of 'SITE1_WAN_IP' (myself) with pre-shared key
Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_AUTH task
Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_CERT_PRE task
Aug 9 10:12:29	charon		09[IKE] <con1|12> reinitiating already active tasks
Aug 9 10:12:29	charon		09[CFG] <con1|12> received supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 9 10:12:29	charon		09[CFG] <con1|12> selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:29	charon		09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:29	charon		09[CFG] <con1|12> received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:29	charon		09[CFG] <con1|12> proposal matches
Aug 9 10:12:29	charon		09[CFG] <con1|12> selecting proposal:
Aug 9 10:12:29	charon		09[IKE] <con1|12> received SIGNATURE_HASH_ALGORITHMS notify
Aug 9 10:12:29	charon		09[IKE] <con1|12> received FRAGMENTATION_SUPPORTED notify
Aug 9 10:12:29	charon		09[ENC] <con1|12> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 9 10:12:29	charon		09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] to SITE1_WAN_IP[500] (456 bytes)
Aug 9 10:12:28	charon		09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (456 bytes)
Aug 9 10:12:28	charon		09[ENC] <con1|12> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 9 10:12:28	charon		09[CFG] <con1|12> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 9 10:12:28	charon		09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:28	charon		09[IKE] <con1|12> IKE_SA con1[12] state change: CREATED => CONNECTING
Aug 9 10:12:28	charon		09[IKE] <con1|12> initiating IKE_SA con1[12] to SITE2_WAN_IP
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_AUTH_LIFETIME task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating CHILD_CREATE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CONFIG task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CERT_POST task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_AUTH task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CERT_PRE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_NATD task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_INIT task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_VENDOR task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating new tasks
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing CHILD_CREATE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_AUTH_LIFETIME task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CONFIG task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CERT_POST task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_AUTH task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CERT_PRE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_NATD task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_INIT task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_VENDOR task
Aug 9 10:12:28	charon		09[KNL] creating acquire job for policy SITE1_WAN_IP/32|/0 === SITE2_WAN_IP/32|/0 with reqid {2}

    WAN is up on both ends, I can access via Teamviewer. Not sure where to start here since nothing has changed.

    0
  • J

    So turns out that the SITE1 IP address changed last night. Even though I'm using Dynamic DNS on both ends and both ends recognized the change, the tunnel would not reconnect until a reboot which has now fixed the issue. Weird one.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy