please check also for the external routing issues with mtr p.e.
if possible on both end points. issues in routing errors or splittet bgp configs by other providers, which result in a different route for In-Bound and Out-Bound traffic, result often in errors with the VPN-Tunnel bring up. * my message is not really related to configurational issues at the end points, just an check point, with what i would start if the configs are double checked. ** ehem /32 mask is host only (may be right if only one host talks to a network, but how if the one host does not know about the others? a bit egomanic machine. :8~) ) = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = 2015-04-28 22:34 GMT+02:00 Christoph Hanle <[email protected]>: > Hi, > we are getting crazy with one tunnel > our system pfSense 2.2 failover cluster > other side a bigger Juniper. > VPN with 6 tunnels was up. > the 7th tunnel (10.2.2.55) fails. > the afterwards created 8th tunnel is OK again. > > some lines from debug log: > --- > configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ > proposing traffic selectors for us: > 10.243.35.0/24|/0 > proposing traffic selectors for other: > 10.2.2.55/32|/0 > generating QUICK_MODE request 2417630024 [ HASH SA No KE ID ID ] > ... > parsed INFORMATIONAL_V1 request 3795096688 [ HASH N(NO_PROP) ] > received NO_PROPOSAL_CHOSEN error notify > --- > looks for me as a Phase 2 Encryption Algorithm Mismatch. > but why and where ? > > On our side i have created the entry for 10.2.2.55 based on existing > entries; for troubleshooting: removed, added again and more than 5 times > checked, also checked the backup-xml -> no error found. > > Onto the other side i have no access, but there is a guy who knows what > to do and as i remember, you create on a Juniper only 1 times the > Phase2 settings and add then all the remote networks. > > > Any hints or idea where to search and what to do ? > > bye > Christoph > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
