IPSEC tunnel stopped establishing, works fine on different connection
-
Hello,
I have had an IPSec tunnel working fine for years, but it went down a week ago. I switched it to a backup cable modem internet connection and it came up OK on that. The ISP examined our T1 circuit and said there no errors or any known network issues. When I attempted to bring the tunnel back up on the T1 it still wouldn't come up, complaining that the Phase1's didn't match (even though the same config matched perfectly on the cable connection). Here is a sample of errors logged (bottom to top):
Feb 20 12:23:38 racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0] Feb 20 12:23:16 racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1). Feb 20 12:23:06 racoon: [Tunnel]: [re.mo.te.addr] INFO: request for establishing IPsec-SA was queued due to no phase1 found. Feb 20 12:23:06 racoon: NOTIFY: the packet is retransmitted by re.mo.te.addr[500] (1). Feb 20 12:23:04 racoon: INFO: delete phase 2 handler. Feb 20 12:23:04 racoon: [Tunnel]: [re.mo.te.addr] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP re.mo.te.addr[0]->208.40.76.203[0] Feb 20 12:22:56 racoon: [Tunnel]: [re.mo.te.addr] INFO: Selected NAT-T version: RFC 3947 Feb 20 12:22:56 racoon: INFO: received Vendor ID: DPD Feb 20 12:22:56 racoon: INFO: received broken Microsoft ID: FRAGMENTATION Feb 20 12:22:56 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 Feb 20 12:22:56 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 20 12:22:56 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Feb 20 12:22:56 racoon: INFO: received Vendor ID: RFC 3947 Feb 20 12:22:56 racoon: INFO: begin Identity Protection mode. Feb 20 12:22:56 racoon: [Tunnel]: INFO: respond new phase 1 negotiation: my.t1.ip.addr[500]<=>re.mo.te.addr[500]
Tunnel settings are the same on both sides:
Phase 1 IKE Proposal: Authentication: SHA1 Mutual PSK Main mode Encryption: AES-128 Group 2 Time Lifetime: 28800 DPD (Dead peer detection) enabled, 10 seconds NAT Traversal: Enabled Phase 2 SA: Authentication: SHA1 Encryption: AES-128 Group 2 Perfect Forward Secrecy (PFS): Disabled Time Lifetime: 3600
My side is running pfSense 2.01, remote side running pfSense 2.0.3.
I could try abandoning IPSec and switching to OpenVPN, but something seems funny here?
-
I upgraded my side to version 2.1.0 and it is connecting fine now.