New WAN IP configured and getting "Remote Side not responding" error
yongbum75 last edited by
I have two sites (Site1 & Site2) connected via an IPSEC tunnel. The tunnel has been up and running for over 3 years without any major issue. Last weekend, one of the sites (Site1) changed the ISP and consequently got a new WAN IP address. The new WAN IP was configured in PFSense and any and all references to the old IP address have been updated (e.g. NAT, Rules, etc. etc.) correctly. Everything is back to normal except the IPSEC tunnel is now broken.
This is what I see in the IPSec log at Site2. Clearly, Site2 thinks Site1 is not responding.
Nov 27 22:13:14 racoon: INFO: begin Identity Protection mode.
Nov 27 22:13:14 racoon: [Site2]: INFO: initiate new phase 1 negotiation: xx.xx.xx.xx<=>yy.yy.yy.yy
Nov 27 22:13:14 racoon: [Site2]: INFO: IPsec-SA request for yy.yy.yy.yy queued due to no phase1 found.
Nov 27 22:13:10 racoon: INFO: delete phase 2 handler.
Nov 27 22:13:10 racoon: [Site2]: [yy.yy.yy.yy] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP yy.yy.yy.yy->xx.xx.xx.xx
Interestingly, I don't see the same error at Site1 so I'm assuming Site1 has no problem "seeing" Site2.
Since Site1's WAN IP address was recently changed, it kind of makes sense that Site2 is unable to connect to Site1. What does not make sense is that when I roll back to the original IP address, the tunnel works again. So I don't think this is due to my misconfiguring something in PFSense.
Although unnecessary I even added rules to PFSense at Site1 to open TCP 51 and UDP 500 and that didn't fix the issue. Something tells me the issue is due to something upstream from Site1 – perhaps the new ISP (Comcast). I Googled to see if Comcast is blocking TCP 51 or UDP 500 but not according to this page - http://customer.comcast.com/help-and-support/internet/list-of-blocked-ports/
I'm at my wit's end with this problem. Can anyone tell me what else I should check? If it's likely caused by something upstream from Site1 (i.e. Comcast), how would I even prove it to them that it's upstream from my office? Having dealt with Comcast for many many years, I am not expecting a swift resolution from them unless I present solid evidence proving my innocence (so to speak). :)
cmb last edited by
Packet capture on WAN on both sides filtering on port 500. You probably don't have connectivity in one direction for some reason, like if it's a Comcast business cable modem, those usually enable firewalls within the modem by default that would block IPsec inbound from the Internet .