Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Second IPSec VTI falls

    IPsec
    1
    2
    239
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      max-netstat
      last edited by

      Hi!
      I'm new to pfSense.
      Please help me solve the problem:

      I have a pfSense 23.05.1-RELEASE server configured in AWS.

      I have a gray address in AWS, but I access the world through Elastic IP.

      I'm setting up 2 IPSec VTI tunnels with our client.
      The tunnel that went up first works without problems.
      The second tunnel falls every 30 seconds.
      The tunnels are configured in the same way, and if I enable the “second” tunnel first, the first one will have the same problem.
      using TCPDUMP I see that in the first tunnel the source and destination ports are 4500,
      in the second tunnel the source port variable.

      I see in the logs:

      05[IKE] <con3|623> sending keep alive to <IP-PEER2>[4500]
      13[IKE] <con3|619> giving up after 5 retransmits
      13[IKE] <con3|619> establishing IKE_SA failed, peer not responding
      13[IKE] <con3|619> IKE_SA con3[619] state change: CONNECTING => DESTROYING
      13[CHD] <con3|619> CHILD_SA con3{239} state change: CREATED => DESTROYING

      P.S Sorry for my English - it's not my native language

      1 Reply Last reply Reply Quote 0
      • M
        max-netstat
        last edited by

        I solved the problem.
        The problem was the duplicate session.
        I solved it with the help of: https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-duplicate-sa.html

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.