Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC tunnel stopped establishing, works fine on different connection

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 799 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ttblum
      last edited by

      Hello,

      I have had an IPSec tunnel working fine for years, but it went down a week ago.  I switched it to a backup cable modem internet connection and it came up OK on that.  The ISP examined our T1 circuit and said there no errors or any known network issues.  When I attempted to bring the tunnel back up on the T1 it still wouldn't come up, complaining that the Phase1's didn't match (even though the same config matched perfectly on the cable connection).  Here is a sample of errors logged (bottom to top):

      
Feb 20 12:23:38	racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0]
Feb 20 12:23:16	racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1).
Feb 20 12:23:06	racoon: [Tunnel]: [re.mo.te.addr] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 20 12:23:06	racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1).
Feb 20 12:23:04	racoon: INFO: delete phase 2 handler.
Feb 20 12:23:04	racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0]
Feb 20 12:22:56	racoon: [Tunnel]: [re.mo.te.addr] INFO: Selected NAT-T version: RFC 3947
Feb 20 12:22:56	racoon: INFO: received Vendor ID: DPD
Feb 20 12:22:56	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 20 12:22:56	racoon: INFO: received Vendor ID: RFC 3947
Feb 20 12:22:56	racoon: INFO: begin Identity Protection mode.
Feb 20 12:22:56	racoon: [Tunnel]: INFO: respond new phase 1 negotiation: my.t1.ip.addr[500]<=>re.mo.te.addr[500]

      Tunnel settings are the same on both sides:

      
Phase 1 IKE Proposal:
Authentication: SHA1 
Mutual PSK
Main mode
Encryption: AES-128 
Group 2
Time Lifetime: 28800
DPD (Dead peer detection) enabled, 10 seconds
NAT Traversal: Enabled

Phase 2 SA:
Authentication: SHA1
Encryption: AES-128
Group 2
Perfect Forward Secrecy (PFS): Disabled
Time Lifetime: 3600

      My side is running pfSense 2.01, remote side running pfSense 2.0.3.

      I could try abandoning IPSec and switching to OpenVPN, but something seems funny here?

      1 Reply Last reply Reply Quote 0
      • T
        ttblum
        last edited by

        I upgraded my side to version 2.1.0 and it is connecting fine now.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.