Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec tunnels died and don't come up anymore

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Hutspot
      last edited by

      Hi all,
      I have a pretty strange problem, I have 1 office with 4 branches connected via IPsec.
      All locations run the same pfSense 1.2.3, only difference is that in "Office" runs a Dell Poweredge R210 server and in All the branches a simple IBM P4 desktop.
      Confuguration on both sides is the same.
      After worked for a pretty long time good, all of a sudden all pfSense boxes stopped talking with eachother and no way to come back. Weird in this, is that from my home I still can connect via IPsec to all, but I use M0n0wall.
      Here is the log from the OFFICE side when I send a ping via the LAN side:

      Feb 6 21:51:38 racoon: ERROR: HASH mismatched
      Feb 6 21:51:38 racoon: WARNING: No ID match.
      Feb 6 21:51:38 racoon: INFO: received Vendor ID: DPD
      Feb 6 21:51:38 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Feb 6 21:51:38 racoon: ERROR: HASH mismatched
      Feb 6 21:51:38 racoon: WARNING: No ID match.
      Feb 6 21:51:38 racoon: INFO: received Vendor ID: DPD
      Feb 6 21:51:38 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Feb 6 21:51:28 racoon: ERROR: HASH mismatched
      Feb 6 21:51:28 racoon: WARNING: No ID match.
      Feb 6 21:51:28 racoon: INFO: received Vendor ID: DPD
      Feb 6 21:51:28 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Feb 6 21:51:28 racoon: ERROR: HASH mismatched
      Feb 6 21:51:28 racoon: WARNING: No ID match.
      Feb 6 21:51:28 racoon: INFO: received Vendor ID: DPD
      Feb 6 21:51:28 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Feb 6 21:51:18 racoon: ERROR: HASH mismatched
      Feb 6 21:51:18 racoon: WARNING: No ID match.
      Feb 6 21:51:18 racoon: INFO: received Vendor ID: DPD
      Feb 6 21:51:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Feb 6 21:51:18 racoon: INFO: begin Aggressive mode.
      Feb 6 21:51:18 racoon: [NAME BRANCH]: INFO: initiate new phase 1 negotiation: 1xx.xx.xx.xx[500]<=>2xx.xx.xx.xx[500]
      Feb 6 21:51:18 racoon: [NAME BRANCH]: INFO: IPsec-SA request for 2xx.xx.xx.xx queued due to no phase1 found.

      And here the log on the BRANCH side:
      Feb 6 21:52:08 racoon: ERROR: phase1 negotiation failed due to time up. 585c756a76df580f:dd4d18b48e8db9fc
      Feb 6 21:51:58 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:58 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:58 racoon: [Porto Novo Vila Velha VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[[500] (1).
      Feb 6 21:51:48 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:48 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:48 racoon: [Porto Novo Vila Velha VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[[500] (1).
      Feb 6 21:51:38 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:38 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:38 racoon: [NAME BRANCH VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[500] (1).
      Feb 6 21:51:28 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:28 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:28 racoon: [NAME BRANCH VPN]: NOTIFY: the packet is retransmitted by 1xx.xx.xx.xx[500] (1).
      Feb 6 21:51:18 racoon: ERROR: ignore information because ISAKMP-SAhas not been established yet.
      Feb 6 21:51:18 racoon: WARNING: No ID match.
      Feb 6 21:51:18 racoon: INFO: received Vendor ID: DPD
      Feb 6 21:51:18 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Feb 6 21:51:18 racoon: INFO: begin Aggressive mode.
      Feb 6 21:51:18 racoon: [NAME BRANCH VPN]: INFO: respond new phase 1 negotiation: 2xx.xx.xx.xx[500]<=>1xx.xx.xx.xx[500]

      I saved on both sides of course the tunnels and passphrases again, all is correctly  in the config.
      As said, via my m0n0wall box I can connect to both, but OFFICE can't connect to to BRANCHE anymore and viceversa.
      As said also, the tunnel was working for a while correctly, nobody else then me has access to the boxes.

      Does anyone have an idea?  ??? I will soon upgrade all to 2.0.1, but would like to resolve this first.

      Thanx in advance!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.