A pile of "Connecting" Phase 1s - not matched correctly?



  • Hi,

    I set up a dual redundancy site-to-site connection between two AWS-hosted pfSense instances and Azure, like this: https://blogs.technet.microsoft.com/rspitz/2018/02/19/just-enough-bgp-to-get-your-azure-dual-redundancy-active-active-vpn-gateways-up-and-running/

    Actually, I had done this a while ago (2.4.4-2) semi-successfully. The VPNs work fine, but ECMP not - I want to have the installation ready, when 2.5.0 is released and (hopefully) fixes it.
    Now, I tried the (almost) the same again, and get a real dealbreaker: On one of the pfSenses, phase 1 entries pile up as "connecting". Therefore, the status view is very slow and I don't have any confidence in the (seemingly working) VPN. Of course, I double and triple-checked all the crypto settings, they are consistent.

    Differences to the earlier setup: BGP instead of OSPF between the pfSenses, AES-GCM128 instead of AES256. I will try to rule that out, but to me it does not seem related.

    Thanks!



  • It appears solved now: I disabled mobile support, deleted the mobile IPsec phase 1 and recreated the client VPN. Had this suspicion because the phase 1 entries showed up as "any" for their remote identity.

    I guess the problem is, that I defined the network of the mobile phase 2 as 0.0.0.0/0 because I want to route all client traffic through the VPN. And I use VTI for S2S, which creates generig 0.0.0.0/0 phase 2 entries.


Log in to reply