Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC stopped working after a temporary ISP connectivity down. Not able to establish connection to peer

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 395 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mauro.tridici
      last edited by

      Dear Users,

      after a lot of years, my IPSEC lan to lan suddenly stopped working after a temporary ISP connectivity down. I'm trying to start again the IPSEC manually (as I usually do), but it seems to stuck at "connecting" phase.

      I stopped and restarted the service, I did a power cycle of pfSense, I tried to manually start the phase 1 using command line, but I can see only this kind of output:

      swanctl --initiate --ike con1
      [IKE] initiating Main Mode IKE_SA con1[2] to peer_ip
      [ENC] generating ID_PROT request 0 [ SA V V V V V ]
      [NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
      [IKE] sending retransmit 1 of request message ID 0, seq 1
      [NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
      [IKE] sending retransmit 2 of request message ID 0, seq 1
      [NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
      [IKE] sending retransmit 3 of request message ID 0, seq 1
      [NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
      [IKE] sending retransmit 4 of request message ID 0, seq 1
      [NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
      [IKE] sending retransmit 5 of request message ID 0, seq 1
      [NET] sending packet: from pfsense_ip[500] to peer_ip[500] (184 bytes)
      [IKE] giving up after 5 retransmits
      [IKE] establishing IKE_SA failed, peer not responding
      initiate failed: establishing IKE_SA 'con1' failed

      In the past, I already experienced a similar issue and I solved it enabling and disabling the IPSEC phases. But today this workaround is not working.

      Could you please help me to clear the situation and make the IPSEC working again?

      pfSense v.2.7.0

      Thank you,
      Mauro

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @mauro.tridici
        last edited by

        @mauro-tridici Consider upgrading to 2.7.2 though that by itself is probably not a fix.

        Are these public IPs? Is an ISP router in use at either end?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        M 1 Reply Last reply Reply Quote 0
        • M
          mauro.tridici @SteveITS
          last edited by

          @SteveITS this is the traffic flow:

          FIREWALL with public IP (site A) - ISP - GATEWAY with public IP - PFSENSE with private IP.

          PFSENSE says that it is at the latest version, but it is not true (it is at 2.7.0)

          Thanks,
          Mauro

          S 1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @mauro.tridici
            last edited by

            @mauro-tridici I have seen a case where the ISP modem (Comcast) was apparently blocking the inbound port forwarding. Changing the pfSense to a different WAN IP let it work.

            Re upgrade:
            https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#troubleshooting

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote ๐Ÿ‘ helpful posts!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.