Hey all - Pulling my hair out here. Have this one tunnel that is hanging on rekeying. Both sides were stuck on REKEYING. They eventually re-authed the outer IKE tunnel and came up again. This is ongoing with traffic stopping at each rekey for random amounts of time.
I can’t find anything wrong. Do not know why the 203.0.113.121 side is returning INVALID_ID when the “Phase 2” is right there. Any pointers graciously accepted. Thanks. Oct 30 18:06:43 pfSense_2.4.4 charon: 06[NET] <con4000|55> received packet: from 198.51.100.49[500] to 203.0.113.121[500] (460 bytes) Oct 30 18:06:43 pfSense_2.4.4 charon: 06[ENC] <con4000|55> parsed QUICK_MODE request 3072107701 [ HASH SA No KE ID ID ] Oct 30 18:06:43 pfSense_2.4.4 charon: 06[CFG] <con4000|55> looking for a child config for 192.168.14.0/24|/0 === 192.168.16.0/24|/0 Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> no matching CHILD_SA config found Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> queueing INFORMATIONAL task Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> activating new tasks Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> activating INFORMATIONAL task Oct 30 18:06:43 pfSense_2.4.4 charon: 06[ENC] <con4000|55> generating INFORMATIONAL_V1 request 3147423319 [ HASH N(INVAL_ID) ] Oct 30 18:06:43 pfSense_2.4.4 charon: 06[NET] <con4000|55> sending packet: from 203.0.113.121[500] to 198.51.100.49[500] (92 bytes) Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> activating new tasks Oct 30 18:06:43 pfSense_2.4.4 charon: 06[IKE] <con4000|55> nothing to initiate IT'S RIGHT THERE: $ ipsec statusall con4000 Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.2-RELEASE-p3, amd64): uptime: 2 days, since Oct 27 22:44:06 2018 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10 loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters Listening IP addresses: 203.0.113.121 192.168.14.1 172.16.14.1 Connections: con4000: 203.0.113.121...198.51.100.49 IKEv1, dpddelay=10s con4000: local: [203.0.113.121] uses pre-shared key authentication con4000: remote: [198.51.100.49] uses pre-shared key authentication con4000: child: 192.168.14.0/24|/0 === 192.168.16.0/24|/0 TUNNEL, dpdaction=restart Routed Connections: con4000{552}: ROUTED, TUNNEL, reqid 1 con4000{552}: 192.168.14.0/24|/0 === 192.168.16.0/24|/0 Security Associations (3 up, 0 connecting): con4000[55]: ESTABLISHED 4 hours ago, 203.0.113.121[203.0.113.121]...198.51.100.49[198.51.100.49] con4000[55]: IKEv1 SPIs: 6dd2d30fcec4ee45_i* 0007aac07d503b24_r, pre-shared key reauthentication in 2 hours con4000[55]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024 con4000[55]: Tasks queued: INFORMATIONAL con4000[55]: Tasks active: QUICK_MODE This side: conn con4000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 203.0.113.121 right = 198.51.100.49 leftid = 203.0.113.121 ikelifetime = 28800s lifetime = 3600s ike = aes256-sha256-modp1024! esp = aes256-sha256-modp2048! leftauth = psk rightauth = psk rightid = 198.51.100.49 aggressive = no rightsubnet = 192.168.16.0/24 leftsubnet = 192.168.14.0/24 Other Side: conn con1000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 198.51.100.49 right = 203.0.113.121 leftid = 198.51.100.49 ikelifetime = 28800s lifetime = 3600s ike = aes256-sha256-modp1024! esp = aes256-sha256-modp2048! leftauth = psk rightauth = psk rightid = 203.0.113.121 aggressive = no rightsubnet = 192.168.14.0/24 leftsubnet = 192.168.16.0/24 -- Chris Linstruth <cjli...@gmail.com>