More than one IPSec tunnel phase1 is fine, but adding another phase1 prevents an existing tunnel from re-establishing a connection

lifeboy

I have 5 different tunnels set up with IPSec in host-to-host config, which all run stable and without obvious problems.

When I add a new tunnel phase1 (con10), all other phase1's stay connected, but as soon as I drop the con5 connection and try to re-establish it, it keeps on attempting to connect, but never succeeds. I can drop any other tunnel and it will immediately reconnect on the first try, but the last one previously added does not connect again.

If I disable the phase 2 connections and also the the phase 1, then I can enable the tunnel in the config and all it well. It's when I enable the phase1 that the problem occurs with the con5 connection.

This is weird and I'm at a loss for why this happens. I'm not event at the stage where I actually establish a connection with the far site on this link yet!

How can this be?

lifeboy

I have attached ipsec.log

It records what happens when I do the following:

1. con10's status is disabled.
2. con5's status is enabled and connected
3. I enable con10 and con5 stays connected
4. I then disconnect con5. It immediately attempts to reconnect, but fails and just shows "connecting" in the UI IPsec status
5. I then disable con10 again and con5 connects immediately.

BTW: Where is a disabled ipsec tunnel's config stored? Even a grep of the content of the pfSense is unable to locate it?? When I enable the tunnel it's added to /var/etc/ipsec/swanctl.conf, but from where?

The config of both con5 and con10 are below:

con5 {
                # P1 (ikeid 5): Client5
                fragmentation = yes
                unique = replace
                version = 2
                proposals = aes256-sha256-modp2048
                dpd_delay = 10s
                rekey_time = 25920s
                reauth_time = 0s
                over_time = 2880s
                rand_time = 2880s
                encap = no
                mobike = no
                local_addrs = 197.214.xxx.yyy
                remote_addrs = 196.250.xxx.yyy
                local {
                        id = 197.214.xxx.yyy
                        auth = psk
                }
                remote {
                        id = %any
                        auth = psk
                }
                children {
                        con5 {
                                # P2 (reqid 3): RC01 network
                                mode = tunnel
                                policies = yes
                                life_time = 3600s
                                rekey_time = 3240s
                                rand_time = 360s
                                start_action = trap
                                remote_ts = 192.168.0.0/24
                                local_ts = 192.168.152.0/29
                                esp_proposals = aes256-sha256-modp2048
                                dpd_action = trap
                        }
                }
        }

con10 {
                # P1 (ikeid 10): Client10
                fragmentation = yes
                unique = replace
                version = 2
                proposals = aes256gcm128-sha256-modp2048,aes256-sha256-modp2048
                dpd_delay = 10s
                rekey_time = 25920s
                reauth_time = 0s
                over_time = 2880s
                rand_time = 2880s
                encap = no
                mobike = no
                local_addrs = 197.214.xxx.yyy
                remote_addrs = 165.165.xxx.yyy
                local {
                        id = 197.214.xxx.yyy
                        auth = psk
                }
                remote {
                        id = %any
                        auth = psk
                }
        }