<![CDATA[IPSec Site to Site tunnel Broken with Advanced Outbound Nat]]>Hi,

We have a site to site Ipsec tunnel which has been running for the last 2 years without and issues, however we now need to turn of Automatic NAT, as a result the VPN tunnel is now extremely unstable (last night ran for 7 hours, this morning lasted about 5 mins)

Jan 25 09:21:30 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jan 25 09:21:30 racoon: WARNING: port 500 expected, but 0
Jan 25 09:21:30 racoon: INFO: received Vendor ID: CISCO-UNITY
Jan 25 09:21:30 racoon: INFO: received Vendor ID: DPD
Jan 25 09:21:30 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 25 09:21:30 racoon: INFO: begin Aggressive mode.

However only the AON has been changed, and as soon as switched back over to Automatic back to stable again, anyone any ideas, at present we are running 1.2.2 due to driver issues on 1.2.3

J

]]>https://forum.netgate.com/topic/20961/ipsec-site-to-site-tunnel-broken-with-advanced-outbound-natRSS for NodeSun, 07 Jun 2026 02:39:21 GMTMon, 25 Jan 2010 09:27:54 GMT60<![CDATA[Reply to IPSec Site to Site tunnel Broken with Advanced Outbound Nat on Fri, 29 Jan 2010 18:54:21 GMT]]>Update, got this fixed, had created a specific NONAT rule for one of the interfaces, removed this, also cleaned up the VPN settings to match the remote system exactly (Key lifetime) and all seems stable now, not really sure which fixed it, but as this was stable beforehand I think it may just be a combination.

J

]]>https://forum.netgate.com/post/221231https://forum.netgate.com/post/221231Fri, 29 Jan 2010 18:54:21 GMT<![CDATA[Reply to IPSec Site to Site tunnel Broken with Advanced Outbound Nat on Mon, 25 Jan 2010 13:28:34 GMT]]>Hi,

This is becoming very frutrating, it works perfectly without Manual NAT, so not sure why AON breaks this, also have the following error (Connection stayed up 10mins):

Jan 25 13:18:52 racoon: ERROR: not acceptable Identity Protection mode

Which points towards the security identifer, however as this is now hardcoded as our external IP and only goes out through WAN1 (multi wan setup) I can't see why this would alter.

J

]]>https://forum.netgate.com/post/220730https://forum.netgate.com/post/220730Mon, 25 Jan 2010 13:28:34 GMT