2/3 ipsec tunnels coming up



  • Hello all,

    I have a unique pfsense box on one of my sites. It is unique in the fact it requires 5 NIC's for the networks there. It only uses 3 Ipsec tunnels which is the same on all my sites, but I have noticed some issues.

    Namely that some of the time only 2 out of 3 tunnels come up. Sometimes all 3 come up, sometimes only 2. Fortunately the Main LAN always comes up, so users are not affected.

    So I am trying to build a replacement box to test (as well as a backup in case the live one goes down), but when I boot the box up I get the Phase 1 come up fine. Then the main LAN Ipsec tunnel comes up. But for some reason it takes a very long time for that 2nd one to come up.

    The original box was built by my predecessor and he left no documentation as to how he built this box.

    This replacement box is using a clone of the Ipsec setup on my main firewall, but just with a different site id (192.168.Siteid.3).
    I initally tried just loading the backup of the config from the live box, then changing all the settings. I have also tried building the box and replicating all the necessary settings for myself. I can't seem to get past this.

    Any suggestions would be greatly appreciated.



  • In the live site the configuration for the tunnel is such.

    ESP, 3DES and SHA1.

    I have tried my "new" box in a variety of configurations. I have tried with AH and SHA1 Authentication. I have also tried ESP with 3DES, AES, SHA1, MD5 and every SHA variety in between.

    What I still find strange about even the current "working" box, but also this new one, is that the Ipsec tunnels do not all come up at the same time. One comes up, then you wait for 10-15 minutes and then another comes up. And in the case of the life, I had to leave it overnight for the 3rd tunnel to come up.

    I don't get how the phase 1 can come up and then only 1 out of 3 comes up within a few minutes. Then you have to wait do long for the rest when they all have the same configuration.

    Can anyone PLEASE help me understand this!!!



  • well I am not exactly sure how. But I managed to get all 3 tunnels up and running. I was doing a few different things. Clearing out SAD's, deleted  some SPD's. Checked the SPI's were matching with my connecting firewall and the like.

    So I am not sure what it was I did that made the tunnels come up, but they seem to be up in my test environment at least.

    I would still like to understand why the tunnels take so long to come up sometimes if someone could help with that.


Log in to reply