Active IPsec tunnel between pfSense and OPNsense is active, suddenly reconnects with 0 bytes in phase 2
-
Hi. Yes, there is no traffic on both sides. I try to do some screenshots on Monday.
Regards,
Christian -
Even when initiated from either side?
If one side was doing something odd I might expect to at least see outbound packets on one side if traffic was initiated from that side.
If there's actually no traffic at all it sounds like maybe the routes are missing so it's not trying.
-
Sorry for the delay. The connection is initiated from pfSense (branch office)to OPN (hq). The OPN is only waiting for incoming requests. We use a certificate based authentication, not PSK.
Yesterday, I found the IPsec tunnel in this state:
On the other side, I found that SPIs of "Phase 2" does not match on both sides:
After dropping the tunnel (restarting the service) on the pfSense side, it went back online but traffic flows only in one direction:
Then I did the same thing I do every day when this happens: I went on the OPN-side in the Phase 1, did a very small changed within the DPD (for example change the delay from default 10 seconds to 9 seconds) just to make a change and get the ability to "apply" the changes.
This seams to reset something and the traffic immediately starts running through the tunnel.
I will try to provide a pfSense ipsec-log but the log contain a lot of personalized information like IP addresses, certificate names of my company ... that needs to be truncated first.
Regards,
Christian
-
-
Nothing logged there really looks like a significant error.
In any of those intermediate states do the SPIs match?
Do you see routes at either end in any of those states?
-
Any time I've seen issues close to this it's because of collisions in the negotiation where both sides are rebuilding things at the same time and then can end up confused or broken in various ways.
I'm not sure what options you may have on the peer, but go over all the suggestions here in this doc:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-duplicate-sa.html
-
@jimp
Thank you. This could explain it. I will follow the link and check the options :-)Regards, Christian
-
When I see this correctly, the SPNs does not match fully.
I always thought, that if the tunnel is up, DPD would handle the problem, if SPNs doesn't match?!? It is active on both sides.
I don't understand what you are meaning with "seeing routes"? I use a vti mode with static routes defined under System > Gateway. Looking at the tunnel status under
Status > IPsec
shows a "Local 0.0.0.0/0" and "Remote 0.0.0.0/0".
The gateway, defined within the Netgate, points to the Tunnel-IP from the OPN and vice versa. A route on each side points to the IP network on the other side.
I also disabled "Gateway Monitoring" and "Gateway Action".
Regards, Christian
-
DPD can still work even if the childSAs are mismatched so traffic doesn't actually pass.
Do you actually see routes present in the routing tables when it stops passing though? This feels like it could be missing routes that are replaced when you make any save to the tunnel.
-
Hi Stephen.
I give you a reply on this tomorrow (when the error happened again ;-))
Regards,
Christian
