IP sec tunner juniper SSG5

elit

Hello

We been tiring on 2 occasion to use ipsec vpn without to great success.
It seems to work for a while, but then it stop working and no data can be passed threw it.

Once we reboot the pfSense box it works again. Last time i longed into the pfsense and restarted the racoon service and that
helped.

First attempt was a zyxel n460 box where we use it as Mobil ipsec and 1 sonic wall vpn.

Now for this new box, we have a Juniper SSH and an older Net screen firewall.

After a while we get this error message (on juniper)
IPSec tunnel on interface ethernet0/0 with tunnel ID 0x2 received a packet with a bad SPI. XX.XX.XX.XX->XX.XX.XX.Xx/160, ESP, SPI 0x749f17e1, SEQ 0x33c.

This message keep showing in the log. Once we reboot the pfSense it work again.

pfSense config

 <ipsec><preferredoldsa><enable><tunnel><interface>wan</interface>
		 <local-subnet><address>192.168.200.0/24</address></local-subnet> 
		<remote-subnet>10.0.0.0/24</remote-subnet>
		<remote-gateway>xx.xx.xx.xx</remote-gateway>
		 <dpddelay><p1><mode>main</mode>
			 <myident><myaddress></myaddress></myident> 
			<encryption-algorithm>3des</encryption-algorithm>
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			 <lifetime><pre-shared-key>xxxxxxxxxxx</pre-shared-key>
			 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></lifetime></p1> 
		 <p2><protocol>esp</protocol>
			<encryption-algorithm-option>3des</encryption-algorithm-option>
			<encryption-algorithm-option>blowfish</encryption-algorithm-option>
			<encryption-algorithm-option>cast128</encryption-algorithm-option>
			<encryption-algorithm-option>rijndael</encryption-algorithm-option>
			<encryption-algorithm-option>aes 256</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<hash-algorithm-option>hmac_md5</hash-algorithm-option>
			<pfsgroup>0</pfsgroup></p2> 
		<descr>xx.xx.xx.xx</descr>
		<pinghost>10.0.0.1</pinghost></dpddelay></tunnel> 
	 <tunnel><interface>wan</interface>
		 <local-subnet><network>lan</network></local-subnet> 
		<remote-subnet>xx.xx.xx.xx/24</remote-subnet>
		<remote-gateway>xx.xx.xx.xx</remote-gateway>
		 <dpddelay><p1><mode>main</mode>
			 <myident><myaddress></myaddress></myident> 
			<encryption-algorithm>3des</encryption-algorithm>
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			 <lifetime><pre-shared-key>XXXXXXXXXXX</pre-shared-key>
			 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></lifetime></p1> 
		 <p2><protocol>esp</protocol>
			<encryption-algorithm-option>3des</encryption-algorithm-option>
			<encryption-algorithm-option>blowfish</encryption-algorithm-option>
			<encryption-algorithm-option>cast128</encryption-algorithm-option>
			<encryption-algorithm-option>rijndael</encryption-algorithm-option>
			<encryption-algorithm-option>aes 256</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<hash-algorithm-option>hmac_md5</hash-algorithm-option>
			<pfsgroup>0</pfsgroup></p2> 
		<descr>VPN Kunde1</descr>
		<pinghost>xx.xx.xx.xx</pinghost></dpddelay></tunnel></enable></preferredoldsa></ipsec> 

spiritbreaker

Hi,

l guess it stop working after expired SA.

-> goto System -> Advanced -> Miscellaneous

Then uncheck "Prefer older IPsec SAs" Option.

What about Ipsec log on pfsense?

cya