Is there a subnet limitation on different IPSec tunnels?

lifeboy

I have 7 IPSec tunnels configured on pfSense and they all work fine. However, when I add another new tunnel, the one connection starts disconnecting and can't connect anymore. The only entry in the logs is line that says:

parsed INFORMATIONAL request 2 [ N(AUTH_FAILED) ]

This is after the phase1 connection is established and phase2 as well. Then it drops the link within less that a second.

The only things that is different for these two configs is that the one uses 192.168.123.0/29 as servers side LAN and they new one 192.168.123.8/29. Since these are not full subnets and consecutive (whatever that means, it's a different subnet!), could there be an issue that IPSec has with this?

jimp

Subnets wouldn't matter for that. The auth it's mentioning would be entirely in Phase 1, not Phase 2. The remote end is saying authentication failed so you will need to check the logs on the remote side (if possible) for any more detail about why it failed.

In most cases it's down to something in Phase 1 either being mismatched or incorrect in some way (e.g. a config that could technically match multiple remote peers ends up matching both remotes)