Netgate Store

Author Topic: Only 1 IPSec VPN Tunnel Can be UP at a Time  (Read 461 times)

0 Members and 1 Guest are viewing this topic.

Offline Sarven Atam

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Only 1 IPSec VPN Tunnel Can be UP at a Time
« on: February 14, 2018, 11:48:13 am »
Hi,


I know my tunnels are working as they work one at a time, but when both are enabled in pfsense, only 1st one enabled works...does this make sense?

Thx

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1975
  • Karma: +105/-3
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #1 on: February 14, 2018, 01:40:15 pm »
No. Makes no sense unless the phase2's are the same.

Offline Sarven Atam

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #2 on: February 15, 2018, 09:20:35 pm »
Hi,

Yes both tunnel phase 2 are the same..

I was not aware this would be an issue?

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1975
  • Karma: +105/-3
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #3 on: February 16, 2018, 10:14:36 am »
It routes the traffic by matching the phase2, so if you have two that match, it doesn't know which one to use. If you have two remote sites with the same subnet, you need to binat, or change the subnet for one site.

Offline Sarven Atam

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #4 on: February 18, 2018, 04:00:55 pm »
Hi,

All sites have different IP sets:

192.168.0.0
192.168.2.0
192.168.50.0

Subnet on all is 255.255.255.0

I get all 3 sites up for a while, come back to work and 2 out of 3 are down...I managed to get 2 out of 3 up, 3rd one is exactly same phase 1 and 2 as another one running but i get


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10557
  • Karma: +1209/-324
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #5 on: February 18, 2018, 10:16:12 pm »
Then why would your P2s be the same on multiple sites if those networks are not reachable on that tunnel?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Sarven Atam

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #6 on: February 19, 2018, 12:04:09 pm »
Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes...I delete the settings on the pfsense side, re-create them exactly the same and it works again, as if there was a bug somewhere..

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1975
  • Karma: +105/-3
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #7 on: February 19, 2018, 01:27:27 pm »
Say i have a working tunnel, i disconnect it, re-connect it and it no longer works sometimes...
Why are you doing that? It's probably causing the SA to become invalid on one side and not the other.
Try clearing both sides before you re-connect. Creating a new connection likely just gets the two sides to agree on a new SA.

Offline Sarven Atam

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #8 on: February 19, 2018, 08:57:39 pm »
I understand, yet what i don't understand is why one of the tunnels stopped working on its own? I had 2 working tunnels right before i left the office, one of them stopped working and now won't reconnect :(

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10557
  • Karma: +1209/-324
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #9 on: February 19, 2018, 09:04:14 pm »
This is a pfSense forum. What does the pfSense side think?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Sarven Atam

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #10 on: February 19, 2018, 11:09:25 pm »
Feb 20 00:08:12   charon      06[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:12   charon      06[IKE] <con2000|4784> activating ISAKMP_DPD task
Feb 20 00:08:12   charon      06[ENC] <con2000|4784> generating INFORMATIONAL_V1 request 3717885545 [ HASH N(DPD) ]
Feb 20 00:08:12   charon      06[NET] <con2000|4784> sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:12   charon      06[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:12   charon      06[IKE] <con2000|4784> nothing to initiate
Feb 20 00:08:12   charon      06[NET] <con2000|4784> received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:12   charon      06[ENC] <con2000|4784> parsed INFORMATIONAL_V1 request 2002702379 [ HASH N(DPD_ACK) ]
Feb 20 00:08:12   charon      06[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:12   charon      06[IKE] <con2000|4784> nothing to initiate
Feb 20 00:08:12   charon      06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
Feb 20 00:08:12   charon      06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
Feb 20 00:08:12   charon      06[ENC] <4795> could not decrypt payloads
Feb 20 00:08:12   charon      06[IKE] <4795> message parsing failed
Feb 20 00:08:12   charon      06[ENC] <4795> generating INFORMATIONAL_V1 request 1589880556 [ HASH N(PLD_MAL) ]
Feb 20 00:08:12   charon      06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
Feb 20 00:08:12   charon      06[IKE] <4795> ID_PROT request with message ID 0 processing failed
Feb 20 00:08:20   charon      06[NET] <4795> received packet: from 70.53.184.37[500] to 70.29.148.187[500] (108 bytes)
Feb 20 00:08:20   charon      06[ENC] <4795> invalid ID_V1 payload length, decryption failed?
Feb 20 00:08:20   charon      06[ENC] <4795> could not decrypt payloads
Feb 20 00:08:20   charon      06[IKE] <4795> message parsing failed
Feb 20 00:08:20   charon      06[ENC] <4795> generating INFORMATIONAL_V1 request 3774258457 [ HASH N(PLD_MAL) ]
Feb 20 00:08:20   charon      06[NET] <4795> sending packet: from 70.29.148.187[500] to 70.53.184.37[500] (92 bytes)
Feb 20 00:08:20   charon      06[IKE] <4795> ID_PROT request with message ID 0 processing failed
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> sending DPD request
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> queueing ISAKMP_DPD task
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> activating ISAKMP_DPD task
Feb 20 00:08:22   charon      06[ENC] <con2000|4784> generating INFORMATIONAL_V1 request 2948983483 [ HASH N(DPD) ]
Feb 20 00:08:22   charon      06[NET] <con2000|4784> sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> nothing to initiate
Feb 20 00:08:22   charon      06[NET] <con2000|4784> received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:22   charon      06[ENC] <con2000|4784> parsed INFORMATIONAL_V1 request 545605263 [ HASH N(DPD_ACK) ]
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:22   charon      06[IKE] <con2000|4784> nothing to initiate
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> sending DPD request
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> queueing ISAKMP_DPD task
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> activating ISAKMP_DPD task
Feb 20 00:08:32   charon      12[ENC] <con2000|4784> generating INFORMATIONAL_V1 request 4259553075 [ HASH N(DPD) ]
Feb 20 00:08:32   charon      12[NET] <con2000|4784> sending packet: from 70.29.148.187[500] to 70.49.70.217[500] (84 bytes)
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> nothing to initiate
Feb 20 00:08:32   charon      12[NET] <con2000|4784> received packet: from 70.49.70.217[500] to 70.29.148.187[500] (84 bytes)
Feb 20 00:08:32   charon      12[ENC] <con2000|4784> parsed INFORMATIONAL_V1 request 3826683002 [ HASH N(DPD_ACK) ]
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> activating new tasks
Feb 20 00:08:32   charon      12[IKE] <con2000|4784> nothing to initiate
Feb 20 00:08:34   charon      12[JOB] <4795> deleting half open IKE_SA with 70.53.184.37 after timeout
Feb 20 00:08:34   charon      12[IKE] <4795> IKE_SA (unnamed)[4795] state change: CONNECTING => DESTROYING

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10557
  • Karma: +1209/-324
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #11 on: February 19, 2018, 11:38:55 pm »
Looks like one side is failing and the other doesn't know it.

You'll probably have to post the IKE and IPsec configurations from both sides.

Are you trying to get two tunnels up between the same two endpoints?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Sarven Atam

  • Jr. Member
  • **
  • Posts: 41
  • Karma: +0/-0
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #12 on: February 20, 2018, 10:35:02 am »
Funny thing is the tunnel worked until it stopped working on its own..i wanna get 3 tunnels to 3 different sites with all of them setup on Zyxel routers. I manage to get all 3 up, then they drop like flies lol

Attached are config details:

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10557
  • Karma: +1209/-324
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #13 on: February 20, 2018, 11:02:11 am »
That all looks OK at first glance. I would Uncheck disable re-key on the pfSense side.

And please change the PSK. :)
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline dotdash

  • Hero Member
  • *****
  • Posts: 1975
  • Karma: +105/-3
    • View Profile
Re: Only 1 IPSec VPN Tunnel Can be UP at a Time
« Reply #14 on: February 20, 2018, 04:37:23 pm »
I do not understand what you are doing with the identifiers on the pfsense p1.
Normally, In that situation, I'd use DN and put in the dyndns hostname. Not sure what you are doing with the 0.0.0.0