Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2x Phase 2 not steady

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 961 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vitafit
      last edited by

      Hi together,

      i am having kind of a strange issue about all my IPSec-Tunnels including 2x networks on Phase 2: After a few hours (i am not sure exactly how long but it will a few hours) only one of the two networks is up on the ipsec-status page which of course will result in packet-loss.

      If i check the other side (which is not an pfSense) i can see both phases up so one of the two Phase2-Networks is only lost on pfSense-side. So far i could figure out that most of the times the first defined phase 2 is not being connected (but this might be a timing problem). If you ask me i would say as soon as my Timeout on Phase 1 from 86400 seconds is reached the issue starts.

      DPD is enabled. So summarized: After reconnecting my VPN everything is working perfect for a few hours. After that only on of the two Phase2-Networks will work. My configuration:

      Thanks!

      1 Reply Last reply Reply Quote 0
      • V
        vitafit
        last edited by

        I re-checked the logs and the only suspicious thing i could find was:
        Aug 31 10:11:19 charon: 13[ENC] <con1000|198>received HASH payload does not match
        Aug 31 10:11:19 charon: 13[ENC] <con1000|198>parsed QUICK_MODE request 1411326251 [ HASH SA No KE ID ID ]
        Aug 31 10:11:19 charon: 13[NET] <con1000|198>received packet: from **.236.205[4500] to **.156.19[4500] (300 bytes)

        Could this cause the issues? Any other ideas?</con1000|198></con1000|198></con1000|198>

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Is there a reason you're forcing NAT-T? That shouldn't be necessary and could be the reason if you're in a circumstance where NAT-T isn't required.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.