IPSEC stopped working after a temporary ISP connectivity down. Not able to establish connection to peer

mauro.tridici · Oct 23, 2024, 8:45 PM

Dear Users,

after a lot of years, my IPSEC lan to lan suddenly stopped working after a temporary ISP connectivity down. I'm trying to start again the IPSEC manually (as I usually do), but it seems to stuck at "connecting" phase.

I stopped and restarted the service, I did a power cycle of pfSense, I tried to manually start the phase 1 using command line, but I can see only this kind of output:

swanctl --initiate --ike con1
[IKE] initiating Main Mode IKE_SA con1[2] to peer_ip
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
[IKE] sending retransmit 1 of request message ID 0, seq 1
[NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
[IKE] sending retransmit 2 of request message ID 0, seq 1
[NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
[IKE] sending retransmit 3 of request message ID 0, seq 1
[NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
[IKE] sending retransmit 4 of request message ID 0, seq 1
[NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
[IKE] sending retransmit 5 of request message ID 0, seq 1
[NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
[IKE] giving up after 5 retransmits
[IKE] establishing IKE_SA failed, peer not responding
initiate failed: establishing IKE_SA 'con1' failed

In the past, I already experienced a similar issue and I solved it enabling and disabling the IPSEC phases. But today this workaround is not working.

Could you please help me to clear the situation and make the IPSEC working again?

pfSense v.2.7.0

Thank you,
Mauro

SteveITS · Oct 24, 2024, 4:48 AM

@mauro-tridici Consider upgrading to 2.7.2 though that by itself is probably not a fix.

Are these public IPs? Is an ISP router in use at either end?

mauro.tridici · Oct 24, 2024, 7:16 AM

@SteveITS this is the traffic flow:

FIREWALL with public IP (site A) - ISP - GATEWAY with public IP - PFSENSE with private IP.

PFSENSE says that it is at the latest version, but it is not true (it is at 2.7.0)

Thanks,
Mauro

SteveITS · Oct 24, 2024, 12:42 PM

@mauro-tridici I have seen a case where the ISP modem (Comcast) was apparently blocking the inbound port forwarding. Changing the pfSense to a different WAN IP let it work.

Re upgrade:
https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting