Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC connection dropping

    Scheduled Pinned Locked Moved IPsec
    17 Posts 2 Posters 10.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bmcnabb
      last edited by

      I've changed to a single tunnel with different p1 and p2 lifetimes.  Hopefully that will stabilize them.

      1 Reply Last reply Reply Quote 0
      • B
        bmcnabb
        last edited by

        Well, it stayed up for one lifetime(86400s) and then went down again.  Here's some logs with IPs masked.  Its confusing to me because the OpenBSD -> Pfsense connection is stable, but the Pfsense -> Pfsense one is not.  It wouldn't be an issue either except it takes so long for the tunnel to reestablish.

        Aug 28 10:17:56 racoon: [VPN to office network]: ERROR: XXX.XX.13.230 give up to get IPsec-SA due to time up to wait.
        Aug 28 10:17:26 racoon: [VPN to office network]: INFO: initiate new phase 2 negotiation: XX.XXX.170.206[0]<=>XXX.XX.13.230[0]
        Aug 28 10:17:11 racoon: [VPN to office network]: ERROR: XXX.XX.13.230 give up to get IPsec-SA due to time up to wait.
        Aug 28 10:16:41 racoon: [VPN to office network]: INFO: initiate new phase 2 negotiation: XX.XXX.170.206[0]<=>XXX.XX.13.230[0]
        Aug 28 10:16:37 racoon: [VPN to office network]: ERROR: XXX.XX.13.230 give up to get IPsec-SA due to time up to wait.
        Aug 28 10:16:07 racoon: [VPN to office network]: INFO: initiate new phase 2 negotiation: XX.XXX.170.206[0]<=>XXX.XX.13.230[0]
        Aug 28 10:16:07 racoon: [VPN to office network]: ERROR: XXX.XX.13.230 give up to get IPsec-SA due to time up to wait.
        Aug 28 10:15:37 racoon: [VPN to office network]: INFO: initiate new phase 2 negotiation: XX.XXX.170.206[0]<=>XXX.XX.13.230[0]
        Aug 28 10:15:37 racoon: [VPN to office network]: INFO: phase2 sa deleted XX.XXX.170.206-XXX.XX.13.230
        Aug 28 10:15:36 racoon: [VPN to office network]: INFO: phase2 sa expired XX.XXX.170.206-XXX.XX.13.230

        1 Reply Last reply Reply Quote 0
        • B
          bmcnabb
          last edited by

          Some more information.  I set the lifetimes of phase 1 to 10 days and the lifetimes of the phase 2 to 1 day.  After 1 day the vpn tunnel went down and did not come back up until I 1) Disabled both ends of the tunnel 2) setkey -FP on both ends of the tunnel 3) restarted both racoons 4) Reenabled the tunnels.  I've tried many different ways to get the tunnels back up when they get in this state, but this seems to be the only reliable way I can do it.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            A little late, I know, but you may want to try a new 1.2.3-RC3 snapshot. The NAT-T feature caused a lot of IPsec regressions just like the one you are seeing, and has been removed. If you try a snapshot from the past couple days it should behave a lot better.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • B
              bmcnabb
              last edited by

              I'm running 1.2.2 which I thought didn't have NAT-T.  Trying to avoid running 1.2.3 until its stable and not a RC since this is a production environment.  I still have the problem, but I've bandaged it by setting the lifetimes to 10 days so that the tunnel only drops once every 10 days instead of multiple times a day like before.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Ah, nevermind then. It may still be worth a try.

                1.2.3 is just about ready to go, there are just one or two issues holding it up. It may even be in the next week.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • B
                  bmcnabb
                  last edited by

                  Its just confusing to me that the tunnels from Pfsense <–> OpenBSD are stable, but the tunnels from Pfsense <--> Pfsense aren't.  I would have thought it would be the opposite.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Hard to say why that may be the case.

                    Do you know what version of ipsec-tools is running on the OpenBSD box?

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • B
                      bmcnabb
                      last edited by

                      I'm not sure.  Its an older box that I didn't set up and I'm not very familiar with OpenBSD.  Any suggestions how to check the version?

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        It usually prints it in the log, wherever racoon is set to log to. It may just be in the main system log.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • B
                          bmcnabb
                          last edited by

                          Hmm…looking at a ps I don't think its even running racoon.  Looks like its just running isakmpd.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Well then I really have no idea on that one. Unfortunately, ipsec-tools does have more than its fair share of bugs.

                            They are nearing the release of a new version, but it won't be out in time for 1.2.3. Hopefully it will work out for 2.0, though.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.