1. Home
  2. pfSense® Software
  3. IPsec
  4. IPSEC tunnel stopped establishing, works fine on different connection

IPSEC tunnel stopped establishing, works fine on different connection

  • T

    Hello,

    I have had an IPSec tunnel working fine for years, but it went down a week ago.  I switched it to a backup cable modem internet connection and it came up OK on that.  The ISP examined our T1 circuit and said there no errors or any known network issues.  When I attempted to bring the tunnel back up on the T1 it still wouldn't come up, complaining that the Phase1's didn't match (even though the same config matched perfectly on the cable connection).  Here is a sample of errors logged (bottom to top):

    
Feb 20 12:23:38	racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0]
Feb 20 12:23:16	racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1).
Feb 20 12:23:06	racoon: [Tunnel]: [re.mo.te.addr] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Feb 20 12:23:06	racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1).
Feb 20 12:23:04	racoon: INFO: delete phase 2 handler.
Feb 20 12:23:04	racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0]
Feb 20 12:22:56	racoon: [Tunnel]: [re.mo.te.addr] INFO: Selected NAT-T version: RFC 3947
Feb 20 12:22:56	racoon: INFO: received Vendor ID: DPD
Feb 20 12:22:56	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 20 12:22:56	racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 20 12:22:56	racoon: INFO: received Vendor ID: RFC 3947
Feb 20 12:22:56	racoon: INFO: begin Identity Protection mode.
Feb 20 12:22:56	racoon: [Tunnel]: INFO: respond new phase 1 negotiation: my.t1.ip.addr[500]<=>re.mo.te.addr[500]

    Tunnel settings are the same on both sides:

    
Phase 1 IKE Proposal:
Authentication: SHA1 
Mutual PSK
Main mode
Encryption: AES-128 
Group 2
Time Lifetime: 28800
DPD (Dead peer detection) enabled, 10 seconds
NAT Traversal: Enabled

Phase 2 SA:
Authentication: SHA1
Encryption: AES-128
Group 2
Perfect Forward Secrecy (PFS): Disabled
Time Lifetime: 3600

    My side is running pfSense 2.01, remote side running pfSense 2.0.3.

    I could try abandoning IPSec and switching to OpenVPN, but something seems funny here?

    0
  • T

    I upgraded my side to version 2.1.0 and it is connecting fine now.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy