Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Tunnel down all of a sudden with no changes. Can access both ends.

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 302 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JimPhreak
      last edited by JimPhreak

      So with no changes to my IPSec tunnel config (hasn't changed since I set it up months ago), it is showing as down today. My IPSec logs are showing the following:

      Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_SA con1[12] state change: CONNECTING => DESTROYING
Aug 9 10:12:29	charon		09[CHD] <con1|12> CHILD_SA con1{9} state change: CREATED => DESTROYING
Aug 9 10:12:29	charon		09[IKE] <con1|12> received AUTHENTICATION_FAILED notify error
Aug 9 10:12:29	charon		09[ENC] <con1|12> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Aug 9 10:12:29	charon		09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] toSITE1_WAN_IP[500] (65 bytes)
Aug 9 10:12:29	charon		09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (309 bytes)
Aug 9 10:12:29	charon		09[ENC] <con1|12> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Aug 9 10:12:29	charon		09[IKE] <con1|12> establishing CHILD_SA con1{9} reqid 2
Aug 9 10:12:29	charon		09[CFG] <con1|12> configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ
Aug 9 10:12:29	charon		09[CFG] <con1|12> 192.168.2.0/24|/0
Aug 9 10:12:29	charon		09[CFG] <con1|12> proposing traffic selectors for other:
Aug 9 10:12:29	charon		09[CFG] <con1|12> 10.0.10.0/24|/0
Aug 9 10:12:29	charon		09[CFG] <con1|12> proposing traffic selectors for us:
Aug 9 10:12:29	charon		09[IKE] <con1|12> successfully created shared key MAC
Aug 9 10:12:29	charon		09[IKE] <con1|12> authentication of 'SITE1_WAN_IP' (myself) with pre-shared key
Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_AUTH task
Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_CERT_PRE task
Aug 9 10:12:29	charon		09[IKE] <con1|12> reinitiating already active tasks
Aug 9 10:12:29	charon		09[CFG] <con1|12> received supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 9 10:12:29	charon		09[CFG] <con1|12> selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:29	charon		09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:29	charon		09[CFG] <con1|12> received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:29	charon		09[CFG] <con1|12> proposal matches
Aug 9 10:12:29	charon		09[CFG] <con1|12> selecting proposal:
Aug 9 10:12:29	charon		09[IKE] <con1|12> received SIGNATURE_HASH_ALGORITHMS notify
Aug 9 10:12:29	charon		09[IKE] <con1|12> received FRAGMENTATION_SUPPORTED notify
Aug 9 10:12:29	charon		09[ENC] <con1|12> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Aug 9 10:12:29	charon		09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] to SITE1_WAN_IP[500] (456 bytes)
Aug 9 10:12:28	charon		09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (456 bytes)
Aug 9 10:12:28	charon		09[ENC] <con1|12> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 9 10:12:28	charon		09[CFG] <con1|12> sending supported signature hash algorithms: sha256 sha384 sha512 identity
Aug 9 10:12:28	charon		09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
Aug 9 10:12:28	charon		09[IKE] <con1|12> IKE_SA con1[12] state change: CREATED => CONNECTING
Aug 9 10:12:28	charon		09[IKE] <con1|12> initiating IKE_SA con1[12] to SITE2_WAN_IP
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_AUTH_LIFETIME task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating CHILD_CREATE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CONFIG task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CERT_POST task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_AUTH task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CERT_PRE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_NATD task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_INIT task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_VENDOR task
Aug 9 10:12:28	charon		09[IKE] <con1|12> activating new tasks
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing CHILD_CREATE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_AUTH_LIFETIME task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CONFIG task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CERT_POST task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_AUTH task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CERT_PRE task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_NATD task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_INIT task
Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_VENDOR task
Aug 9 10:12:28	charon		09[KNL] creating acquire job for policy SITE1_WAN_IP/32|/0 === SITE2_WAN_IP/32|/0 with reqid {2}

      WAN is up on both ends, I can access via Teamviewer. Not sure where to start here since nothing has changed.

      1 Reply Last reply Reply Quote 0
      • J
        JimPhreak
        last edited by

        So turns out that the SITE1 IP address changed last night. Even though I'm using Dynamic DNS on both ends and both ends recognized the change, the tunnel would not reconnect until a reboot which has now fixed the issue. Weird one.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.