Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC tunnel only comes up from remote side

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mbnextworth
      last edited by

      I've been trying to get a site-to-site IPSEC tunnel working between my Sophos UTM firewall and a pfSense VM and have spent way too much time chasing this already. This is my last ditch effort at getting this working.

      Local LAN:
        192.168.2.0/24
      Remote LAN:
        10.10.0.0/16
      (no NAT used)

      Phase 1 seems to connect without issues, but local traffic won't cross the tunnel until a packet is initiated from the remote side. As soon as the remote side sends a single ping, the local side can send traffic across. This lasts for an undetermined amount of time, after which the local side starts failing again. If I keep a steady ping from remote to local, tunnel stays up all night.

      The most confounding thing I've seen in the Sophos logs refers to INVALID_ID_INFORMATION. The interesting thing is that, just prior to this, it logs the local subnet correctly (192.168.2.0/24) but states that the peer client is subnet 0.0.0.0/0. At that point, Sophos logs peer client ID returned doesn't match my proposal and sending encrypted notification INVALID_ID_INFORMATION to 20x.xxx.x.xx:500

      Despite this, traffic will flow if I kick it off from the remote side. Meanwhile, however, the SPD tab on the remote pfSense device shows the correct local subnet (10.10.0.0/16).

      I have tried messing with every setting I could find to resolve this, and the only thing that's done is sometimes made it worst (e.g. a ping from the remote side won't bring up the tunnel with certain settings).

      What gives?

      1 Reply Last reply Reply Quote 0
      • S
        stegbth
        last edited by

        hm,

        i cause my problem with x509 authenticated IPsec i tried an site-to-site tunnel between PFsense 2.2 and Cisco IOS with PSK and fix IP on both side.

        There i have the similar problem.
        This site-to-site only get established, when a client behind PFsense initiates the tunnel to the cisco.

        When the tunnel is established also the router is able to transfer traffic over the tunnel, but not before.

        I assumed: the Cisco IOS has about 5 different Phase1 policies, the PFsense has only one.
        But i don't know how to define only one Phase1 policy for a specific client, also Cisco-Support told me that's not possible, I am unsure if should trust cisco in this statement (had already fights with the cisco support, what is possible and what isn't)

        best regards
        Thomas

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.