Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense<->pfsense IPSEc tunnel only initiates phase2 from one direction

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 3.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      Entropy
      last edited by

      If I ping from Site A -> Site B.  I won't get replies.  If I leave that running then go ping from B -> A then both directions will work until the timeout happens…Then I'll have to repeat this.  If I leave a ping running from A->B it'll more or less keep going.

      Below I've included log snippits from Status->IPSec.  Please give me some guidance on how to give you what is required.  It's almost like the IPSec requests from A->B are not making it to B..But there should be no filtering between them.  Both have static IPs directly on the Internet.

      Adding a ping to site B doesn't seem to help(pinging the internal private gateway on the other side).  By this I mean the 'ping' field in ipse phase2.  Not a ping from a remote host.

      Any advice would be apprecitaed.  If there's a easy way to shift to the release version of pfsense I'd be happy tod o that, but I'd rather not reinstall.

      Site A:
      Version=2.0.2-RC2(i386)
      Jun 26 18:55:46 racoon: [Tunnel to Rover]: INFO: initiate new phase 2 negotiation: A[500]<=>B[500]
      Jun 26 18:56:16 racoon: ERROR: B give up to get IPsec-SA due to time up to wait.
      Jun 26 18:56:17 racoon: [Tunnel to Rover]: INFO: initiate new phase 2 negotiation: A[500]<=>B[500]
      Jun 26 18:56:47 racoon: ERROR: B give up to get IPsec-SA due to time up to wait.
      (repated over and over)

      Site B:
      Version=2.0.1-RELEASE(amd64)
      (Note, IPs are replaced with "A" or "B")
      racoon: [Tunnel to ST]: INFO: phase2 sa expired B-A
      racoon: [Tunnel to ST]: INFO: phase2 sa deleted B-A

      (Traffic will not pass A->B.  If I initiate from B, as below then both directions work fine…. for a while)

      If instead I ping from B->A I get this:

      Site A:

      Jun 26 19:13:00 racoon: [Tunnel to Rover]: INFO: respond new phase 2 negotiation: A[500]<=>B[500]
      Jun 26 19:13:00 racoon: [Tunnel to Rover]: INFO: IPsec-SA established: ESP A[500]->B[500] spi=30618799(0x1d334af)
      Jun 26 19:13:00 racoon: [Tunnel to Rover]: INFO: IPsec-SA established: ESP A[500]->B[500] spi=151462627(0x90722e3)
      Jun 26 19:13:01 racoon: ERROR: B give up to get IPsec-SA due to time up to wait.

      Site B:
      Jun 26 19:13:00 racoon: [Tunnel to ST]: INFO: initiate new phase 2 negotiation: B[500]<=>A[500]
      Jun 26 19:13:00 racoon: [Tunnel to ST]: INFO: IPsec-SA established: ESP B[500]->A[500] spi=151462627(0x90722e3)
      Jun 26 19:13:00 racoon: [Tunnel to ST]: INFO: IPsec-SA established: ESP B[500]->A[500] spi=30618799(0x1d334af)

      (Also, traffic passes both ways successfully.)

      1 Reply Last reply Reply Quote 0
      • E
        Entropy
        last edited by

        Apparently side "B" needs some rules to allow IPSEC from "A".  However "A" needed no such rules.(which is the part that confused me.)  Adding A->(any WAN) seems to have resolved the problem.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.