IPSec reconnect takes up to 5 minutes
-
Hi,
I've an IPSec VPN connection (VTI mode), where one endpoint is set to start action: "Responder only", close action: "Close connection and clear SA" and the other to start action: "Initiate at start", close action: "Restart/Reconnect". DPD is activiated on both sides and if the WAN connection goes down, the IPSec tunnel will get closed after some seconds on both sides.
If the WAN connection comes back, one endpoint should reconnect immediatelly. Unfortunately this doesn't work. As far as I can tell, the reconnect depends or gets initiated by the "Enable periodic keep alive check" under the P2 options?
Sometimes it takes 4 or 5 minutes until this "periodic check" hits. Is there a way to set this check a way more often?
-
@volans Your connection, in responder only, will wait for the remote side to establish the tunnel. If you establish a ping from the other side it will probably re-establish quicker.
-
Hi Ryan,
unfortunately that makes no difference. I'm pinging both tunnel endpoint IPs from the other side. I checked if the route is still in the routing table, even when the connection is not established, and it is. So pfSense knows that this ICMP packet is meant to go through the disconnected tunnel.. but that seems to be no reason for pfSense to try to re-establish the connection.
I tested that with "Child SA close action" on "Restart/Reconnect" and "..reconnect on demand".
-
@volans As I understand it the Endpoints play no role in the routing being established. You need an internal thing one Network A to ping an internal thing on Network B to get it to connect, if pinging is allowed.