Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bug? - Different PSK per tunnel results in other IPSec tunnels to become unavailable.

    Scheduled Pinned Locked Moved IPsec
    9 Posts 2 Posters 849 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      billsecond
      last edited by billsecond

      I have 6 or 7 IPSec VPN Tunnels to different sites, all of them share the same PSK (don't ask me why). If I add another tunnel using a different PSK, restart IPSec, then all of the other connections fail. The log says something about possible preshared key mismatch for those in question. So I changed the PSK on my new tunnel and then BAM! they all start connecting again.

      Is this a bug? Am I doing something wrong? Is there a work around if this is a bug?

      Please assist!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Does the new tunnel share a remote peer address or remote identifier with any of the others? Usually something like that happens because strongSwan can't match up the remote ID+PSK combination properly. If there is an overlap, that would explain the confusion.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        B 1 Reply Last reply Reply Quote 0
        • B
          billsecond @jimp
          last edited by

          @jimp Nothing is shared. Its all very unique everything.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Check the logs and compare against what pfSense has in /var/etc/ipsec/ipsec.secrets -- that would be how it looks up the PSKs

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            B 1 Reply Last reply Reply Quote 1
            • B
              billsecond
              last edited by

              This post is deleted!
              1 Reply Last reply Reply Quote 0
              • B
                billsecond @jimp
                last edited by

                @jimp said in Bug? - Different PSK per tunnel results in other IPSec tunnels to become unavailable.:

                /var/etc/ipsec/ipsec.secrets

                Not sure what I am looking at here, but it seems like it should all be OK right?

                1ad985ef-006c-4a52-8cf4-70381c7cd508-image.png

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  You should have one entry in there for each tunnel. Why are there so many with 0.0.0.0?

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  B 1 Reply Last reply Reply Quote 0
                  • B
                    billsecond @jimp
                    last edited by

                    @jimp I do have 4 of them that are using distinguished names of 0.0.0.0 for both sides.

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      No wonder it's broken. Every tunnel should be using a unique set of identifiers. Otherwise nothing can be distinguished from each other.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.