how to enable continuous IPsec S2S reconnection retries?
-
after probably not more than a hour offline at the other end (fortigate), this side (pfsense) of VPN tunnel goes to "disconnected" status and won't do reconnect attempts ( even other side will eventually return online).
how to enable continuous (neverending) reconnect retries?
on the page "ipsec status" I see just manual reconnect:
-
If it's tunnel mode IPsec, you can fill in a keep-alive host in the P2 options, that will periodically try to send some traffic across the VPN which would initiate it.
There is a better option coming on 22.01/2.6.0 that works for VTI and tunnel mode: https://redmine.pfsense.org/issues/12169
-
@jimp why pfsense doesn't respond to other side requests when other side returns online?
is it by design (can't find answer anywhere in the docs)?
*sorry i'm quite to pfsense, previous experience with cisco mainly -
@jimp sorry for double posting, couldn't update previous post.
which source address will be used in keep-alive host?
-
@boi said in how to enable continuous IPsec S2S reconnection retries?:
@jimp why pfsense doesn't respond to other side requests when other side returns online?
is it by design (can't find answer anywhere in the docs)?
*sorry i'm quite to pfsense, previous experience with cisco mainlyIf the remote side initiates properly, it should respond. If it doesn't, that suggests maybe you have a settings mismatch somewhere. It's not uncommon for that to happen since IPsec implementations will generally accept more strict values from peers but reject less secure options. So if they don't match, you mind find it initiates one way but not both.
@boi said in how to enable continuous IPsec S2S reconnection retries?:
@jimp sorry for double posting, couldn't update previous post.
which source address will be used in keep-alive host?
The firewall tries to source it from an address inside the local part of the P2, assuming there is an address on the firewall in that subnet. If there isn't an address on the firewall in the P2 then it can't send any traffic that would trigger the tunnel to initiate.
-
@jimp said in how to enable continuous IPsec S2S reconnection retries?:
If the remote side initiates properly, it should respond.
if other side's offline time not really long pfsense responds to IPsec tunnel requests as I can said from status page above.
@jimp said in how to enable continuous IPsec S2S reconnection retries?:
The firewall tries to source it from an address inside the local part of the P2, assuming there is an address on the firewall in that subnet. If there isn't an address on the firewall in the P2 then it can't send any traffic that would trigger the tunnel to initiate.
thanks for this information, doing this immediately!