Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple Site-To-Site IPsec Problem

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      e__n
      last edited by

      Hello, I have a pfSense instance with a static IP, 192.168.2.0/24 on a static IP

      Prior to my upgrade to 2.0 Release (I think I was using build RC1), I had a setup similar to:

      Phase 1 mobile tunnel, Mutual PSK, Aggressive Mode, 3DES, MD5, DH Group1, 28800 key lifetime
      Phase 2 (a) ESP, 3DES, MD5, PFS Group1, 28800 key lifetime
      …
      Phase 2 (f) ESP, 3DES, MD5, PFS Group1, 28800 key lifetime

      So 6 phase 2 entries for VPN endpoints that all have dynamic IP addresses.  Each had a unique ID/PSK

      This configuration worked fine.

      I upgraded to 2.0-Release, and racoon would not start due to a configuration error.

      I noticed that the line number of the error was related to the mobile VPN, so I deleted the phase 1/phase 2's for dynamic IP sites

      Tried to re-create them and I cannot create more than one Phase 2 with the same LAN

      Not only that, but not a single one will connect.  All error out with "no valid sa" or "no remote configuration".  I can post the full log, but I have racoon debug on at the moment and don't want to flood the post if I am missing something obvious (to others).

      Any idea how I can get this config back with  multiple phase 2's and the same LAN entry?

      Thanks in advance for any advice.

      1 Reply Last reply Reply Quote 0
      • E
        e__n
        last edited by

        Just to update, after leaving this alone all night I do see SAD and SPD entries for the dynamic IP sites, but no data sent/received and I am unable to ping any of them.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.