IPSEC tunnel stopped establishing, works fine on different connection



  • Hello,

    I have had an IPSec tunnel working fine for years, but it went down a week ago.  I switched it to a backup cable modem internet connection and it came up OK on that.  The ISP examined our T1 circuit and said there no errors or any known network issues.  When I attempted to bring the tunnel back up on the T1 it still wouldn't come up, complaining that the Phase1's didn't match (even though the same config matched perfectly on the cable connection).  Here is a sample of errors logged (bottom to top):

    
    Feb 20 12:23:38	racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0]
    Feb 20 12:23:16	racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1).
    Feb 20 12:23:06	racoon: [Tunnel]: [re.mo.te.addr] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Feb 20 12:23:06	racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1).
    Feb 20 12:23:04	racoon: INFO: delete phase 2 handler.
    Feb 20 12:23:04	racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0]
    Feb 20 12:22:56	racoon: [Tunnel]: [re.mo.te.addr] INFO: Selected NAT-T version: RFC 3947
    Feb 20 12:22:56	racoon: INFO: received Vendor ID: DPD
    Feb 20 12:22:56	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Feb 20 12:22:56	racoon: INFO: received Vendor ID: RFC 3947
    Feb 20 12:22:56	racoon: INFO: begin Identity Protection mode.
    Feb 20 12:22:56	racoon: [Tunnel]: INFO: respond new phase 1 negotiation: my.t1.ip.addr[500]<=>re.mo.te.addr[500]
    
    

    Tunnel settings are the same on both sides:

    
    Phase 1 IKE Proposal:
    Authentication: SHA1 
    Mutual PSK
    Main mode
    Encryption: AES-128 
    Group 2
    Time Lifetime: 28800
    DPD (Dead peer detection) enabled, 10 seconds
    NAT Traversal: Enabled
    
    Phase 2 SA:
    Authentication: SHA1
    Encryption: AES-128
    Group 2
    Perfect Forward Secrecy (PFS): Disabled
    Time Lifetime: 3600
    
    

    My side is running pfSense 2.01, remote side running pfSense 2.0.3.

    I could try abandoning IPSec and switching to OpenVPN, but something seems funny here?



  • I upgraded my side to version 2.1.0 and it is connecting fine now.