Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec SAD issue

    Scheduled Pinned Locked Moved IPsec
    6 Posts 2 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcs
      last edited by

      I'm using pfSense 1.2.3 with many connected mobile IP clients. I have an issue (since upgrading to 1.2.3 form 1.2.2) that often my tunnels don't work, even everything looks fine with connections. For example, I'm giving you output from Systems Log -> IPsec VPN for one mobile client with that issue, where I switched pfSense's fixed public IP address with "fixedIP" and mobile client's IP address with "mobile IP".

      
racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP fixedIP[0]->mobileIP[0] spi=2265919317(0x870f2f55)
racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP mobileIP[0]->fixedIP[0] spi=129690832(0x7baecd0)
racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: fixedIP[0]<=>mobileIP[0]
racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established fixedIP[500]-mobileIP[500] spi:7a8151eef328f4ef:e4849e4aefe53e4e
racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: fixedIP[500]<=>mobileIP[500]
racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted fixedIP[500]-mobileIP[500] spi:8bad2208f0133aa9:536451d5ab5c00a6
racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired fixedIP[500]-mobileIP[500] spi:8bad2208f0133aa9:536451d5ab5c00a6

      I solve this kind of problem by finding entries of mobileIP in Status -> IPsec -> SAD and deleting all entries (around 10 of them) that have mobileIP. Than, my tunnel automatically goes up.

      Since I have many mobile IP clients and tunnels often go down, this problem solving procedure is killing me. Any ideas pls?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Are multiple mobile users trying to use the same internal IP address set in their client?

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mcs
          last edited by

          Yes, mobile clients' LAN IP is always the same, only their WAN IP changes with every new PPPoE connection.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The LAN IP doesn't matter quite so much as the IP you have set inside of the IPsec client. The client IP address that you setup inside of the IPsec client should be different on each client.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mcs
              last edited by

              Sorry, I didn't understand your question at first, now I see what you have asked. Sure that every client has unique scope of inside IP addresses, they are unique for every client and thus they are fixed.

              1 Reply Last reply Reply Quote 0
              • M
                mcs
                last edited by

                Solved the problem! I have checked the option System -> Advanced -> Miscellaneous -> IPsec SA preferral -> Prefer old IPsec SAs and tunnels seem not to fall down any more.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.