Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense to pfsense ipsec tunnel problem

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      Alex-G
      last edited by

      Hello,

      I have 2 pfsense 1.2.3 boxes (standard pc and a opensense box) with an ipsec tunnel between them.
      On both sides in advanced settings "prefer old ipsec sas" is enabled, had problem with a cisco vpn before and enabling this solved the problem.

      ipsec config:

      
      phase1:
      main 3DS MD5 DH2 lifetime: 86400
      
      phase2:
      ESP 3DES MD5 PFS off lifetime: 28800
      
      

      The tunnel works fine but after a while it stops working and i found the following message in the logs:

      site 1:

      Oct 8 09:32:59     racoon: [Pro Alert Luxemburg]: INFO: ISAKMP-SA established 81.246.90.45[500]-195.46.255.78[500] spi:b3ba4471d6ae3d14:a55e3a0cd83c53bd
      Oct 8 09:33:00     racoon: [Pro Alert Luxemburg]: INFO: initiate new phase 2 negotiation: 81.246.90.45[500]<=>195.46.255.78[500]
      Oct 8 09:33:00     racoon: [Pro Alert Luxemburg]: INFO: IPsec-SA established: ESP 195.46.255.78[0]->81.246.90.45[0] spi=22604688(0x158eb90)
      Oct 8 09:33:00     racoon: [Pro Alert Luxemburg]: INFO: IPsec-SA established: ESP 81.246.90.45[0]->195.46.255.78[0] spi=134206686(0x7ffd4de)
      Oct 8 09:53:20     racoon: [Pro Alert Luxemburg]: WARNING: remote address mismatched. db=195.46.255.78[500], act=195.46.255.78[14605]
      Oct 8 09:53:40     last message repeated 4 times
      Oct 8 09:54:36     racoon: ERROR: couldn't find configuration.
      Oct 8 09:55:06     last message repeated 3 times
      Oct 8 09:55:16     racoon: ERROR: couldn't find configuration.
      Oct 8 10:04:07     last message repeated 10 times
      

      site 2:

      Oct 8 10:07:52     racoon: [Pro Alert Belgium]: INFO: IPsec-SA request for 81.246.90.45 queued due to no phase1 found.
      Oct 8 10:07:52     racoon: [Pro Alert Belgium]: INFO: initiate new phase 1 negotiation: 195.46.255.78[500]<=>81.246.90.45[500]
      Oct 8 10:07:52     racoon: INFO: begin Identity Protection mode.
      Oct 8 10:08:23     racoon: [Pro Alert Belgium]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 81.246.90.45[0]->195.46.255.78[0]
      Oct 8 10:08:23     racoon: INFO: delete phase 2 handler.
      Oct 8 10:08:42     racoon: ERROR: phase1 negotiation failed due to time up. c5a388fbbe08052b:0000000000000000
      Oct 8 10:12:17     racoon: [Pro Alert Belgium]: INFO: IPsec-SA request for 81.246.90.45 queued due to no phase1 found.
      Oct 8 10:12:17     racoon: [Pro Alert Belgium]: INFO: initiate new phase 1 negotiation: 195.46.255.78[500]<=>81.246.90.45[500]
      Oct 8 10:12:17     racoon: INFO: begin Identity Protection mode.
      Oct 8 10:12:49     racoon: [Pro Alert Belgium]: ERROR: phase2 negotiation failed due to time up waiting for phase1\. ESP 81.246.90.45[0]->195.46.255.78[0]
      Oct 8 10:12:49     racoon: INFO: delete phase 2 handler.
      Oct 8 10:13:07     racoon: ERROR: phase1 negotiation failed due to time up. e05c929b05850beb:0000000000000000
      

      I have tried different settings and i don't know what else i can do to solve this problem…

      1 Reply Last reply Reply Quote 0
      • E
        eazydor
        last edited by

        try changing negotiation mode to aggressive.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.