Tunnel "Up" if Phase 2 mismatch? Disconnect on Disable/Restart?
-
I have been fiddling a lot with my IKEv2 tunnel between my main office (MBT-2220/2.60CE) and my home office (either APU/2.60CE, SG-1100/22.05, or my new Protectli FW4C/2.60CE), as I try to upgrade hardware, avoid bugs, optimize throughput, etc.
A few times now I've been bitten by user error where I match the P1 encryption proposals, but mis-match the P2 proposals. In these cases, I've observed one of two odd behaviors:
-
The tunnel will get Established, but no traffic will pass. Should a tunnel be considered "Up" if there's no valid P2?
-
The tunnel will get Established, and I'll run some iperf tests and such to gather some data, then I'll step away from my computer for awhile, come back, and find that the tunnel is still "Up," but no traffic will pass.
- In these cases, Disconnecting the tunnel and then Reconnecting the tunnel will enable traffic to pass for a short while.
- But then after awhile, the traffic will stop passing again.
- I just checked the logs and discovered "No proposal chosen," which explains why no traffic will pass now, but why did it pass an hour ago when I established the tunnel in the first place? And why does it pass (for a short while) if I dis/reconnect?
On a somewhat related note, what's y'all's opinion on the following behavior?
- If a tunnel is currently Up, and I disable that tunnel in VPN: IPsec, and click Ok, Apply, should the tunnel be disconnected automatically?
- Currently pfsense 2.60CE does not do this. I need to go to Status: IPsec, and Disconnect the tunnel.
- If a tunnel is currently Up, and click Status: IPSec: Restart Service, should the tunnel be disconnected?
- I thought Restart Service meant that the IPSec daemon was killed and restarted.
- Wouldn't that/shouldn't that tear down any existing tunnels?
-