Re: [pfSense] 1 of 8 phase2 tunnel will not come up
On 28/04/15 22:34, Christoph Hanle wrote: Hi, we are getting crazy with one tunnel our system pfSense 2.2 failover cluster other side a bigger Juniper. VPN with 6 tunnels was up. the 7th tunnel (10.2.2.55) fails. the afterwards created 8th tunnel is OK again. Problem is gone, don't ask why. I seems that on our side or at the other side a child SA process was not proper released. bye Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] 1 of 8 phase2 tunnel will not come up
On Wed, Apr 29, 2015 at 1:22 PM, Christoph Hanle christoph.ha...@leinpfad.de wrote: On 28/04/15 22:34, Christoph Hanle wrote: Hi, we are getting crazy with one tunnel our system pfSense 2.2 failover cluster other side a bigger Juniper. VPN with 6 tunnels was up. the 7th tunnel (10.2.2.55) fails. the afterwards created 8th tunnel is OK again. Problem is gone, don't ask why. My guess is this: https://redmine.pfsense.org/issues/4665 It might not be, but the symptom seems like it could match. If you see a similar symptom, check the output of ipsec statusall for the reqid values. They should be unique for each P2. If any of them are duplicated, that's #4665. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] 1 of 8 phase2 tunnel will not come up
Hi, we are getting crazy with one tunnel our system pfSense 2.2 failover cluster other side a bigger Juniper. VPN with 6 tunnels was up. the 7th tunnel (10.2.2.55) fails. the afterwards created 8th tunnel is OK again. some lines from debug log: --- configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ proposing traffic selectors for us: 10.243.35.0/24|/0 proposing traffic selectors for other: 10.2.2.55/32|/0 generating QUICK_MODE request 2417630024 [ HASH SA No KE ID ID ] ... parsed INFORMATIONAL_V1 request 3795096688 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify --- looks for me as a Phase 2 Encryption Algorithm Mismatch. but why and where ? On our side i have created the entry for 10.2.2.55 based on existing entries; for troubleshooting: removed, added again and more than 5 times checked, also checked the backup-xml - no error found. Onto the other side i have no access, but there is a guy who knows what to do and as i remember, you create on a Juniper only 1 times the Phase2 settings and add then all the remote networks. Any hints or idea where to search and what to do ? bye Christoph ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold