• Error when using OPTX interface:

    Jul 10 09:08:50 racoon: ERROR: phase1 negotiation failed due to time up.
    Jul 10 09:08:46 racoon: NOTIFY: the packet is retransmitted by REMOTE GATEWAY[500].
    Jul 10 09:08:41 racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Jul 10 09:08:41 racoon: WARNING: SPI size isn't zero, but IKE proposal.
    Jul 10 09:08:41 racoon: WARNING: No ID match.
    Jul 10 09:08:41 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Jul 10 09:08:41 racoon: INFO: begin Aggressive mode.
    Jul 10 09:08:41 racoon: INFO: respond new phase 1 negotiation: OPTX[500]<=>REMOTE GATEWAY[500]

    someone knows how to resolve the "the packet is retransmitted by…" problem or the configuration steps for enable IPSEC traffic on OPTX interfaces?

    a simple question: is IPSEC on OPTX interfaces supported by pfsense?

  • IPSEC on OPTX interfaces is supported on 1.2b2?

  • Yes  but it requires a static route.

  • You could detail with an example the procedure to create this route correctly to make work IPSEC in an interface OPTX?


    It is not possible to apply the same procedure that automatically creates the routes in the WAN interface?

    In the version 1.2b1 the tunnels ipsec in OPTX worked correctly until a certain point and in case of falling, reinitiating physically  the router (power down/up) in many cases gets the tunnels up and running (automatically  recreating routes?).

    I have interest in making work IPSEC in interfaces OPTX, since my configuration would require of tunnels in WAN, OPT1 and OPT2 with about 25 tunnels each one. It would be technically feasible to attain this with pfsense?


  • Somebody can explain how to create the routes necessary to make work IPSEC in OPTX in 1.2b2?


  • I still need help on how to create the routes necessary to make work IPSEC in OPTX interfaces….

  • I used something like this:
    interface: OPT1
    Network: (remote endpoint of ipsec tunnel/32)
    Gateway: (gateway of OPT1 interface)

  • Some questions:

    Network: (remote endpoint of ipsec tunnel/32), is the public IP of the remote gateway?
    i must add these routes on the SYSTEM>STATIC ROUTES section of the webconfigurator?


  • Yes, the 'destination network' under system, static routes is the same IP you entered for 'remote gateway' on the IPSec tunnel.

  • yes, seems to work.