IPsec fails to renegotiate after loss of a peer
-
@bkm:
cmb - what is the command to change the rekey back to the default if I later change it to force as below:
Edit /etc/inc/vpn.inc and remove the line:
rekey force;
-
Thanks cmb.
The rekey option looks similar to an option on my Netopias that I am testing on a few tunnels. I haven't been able to tell yet if it has helped. I may try the rekey option in pfSense in a couple weeks if I am still having issues. -
So far all of my tunnels have been fine since the update. And that even includes a connectivity loss between one of the remote routers which renegotiated fine, and lifetime expirations on all of them.
I'll keep an eye on them though.
-
Jimp, do you have Prefer old IPSEC SAs turned on? I know the BEFSX41 is quite similar to the BEFVP41 and I'd be surprised if yours worked without that setting.
Following two ISP equipment malfunctions today from the ISP we are moving away from, I will be changing over all the other locations early tomorrow morning. I'm fairly confident that it should go smoothly because of the one tunnel I got to stay up last night and a second I moved over today.
I'll report any issues I come across.
-
You know, I don't remember checking that but it is set.
-
I restarted racoon today when all of my tunnels were up. It only took about 3 minutes for 9 tunnels to come back. This was not the case when the tunnels had died on their own. I'm guessing that some state or SAD was probably not letting itself get terminated. I'll post again if I have any new info.
-
I just ran fetch -o /etc/inc/vpn.inc rekeyforcevpn.inc, restarted racoon and the service would no longer start. Since I needed these tunnels back up and running, I just reinstalled 1.2.3-rc3 and things came back up.
Not sure if it's something I did or an issue with the script.
-
I just ran fetch -o /etc/inc/vpn.inc rekeyforcevpn.inc, restarted racoon and the service would no longer start.
I'll admit I didn't test it, but it's a simple one line config change that per the racoon man page is correct. What did your logs show?
-
To be honest, I didn't even look. It was already late and I didn't have the energy to troubleshoot it when I figured just a quick reload of the firmware would fix it. I just tried running clog /var/log/ipsec.log in Diag>Command, but I didn't see anything relevant.
-
Well, I moved over almost every location this morning so there are now 25 tunnels up and running for about 6 hours. No VPN issues so far and each phase 2 lifetime is set to 3600 seconds. I'll hold off final judgment for a few more days but so far so good with 1.2.3-RC3 and all the devices I previously mentioned.
-
I updated from 1.2.2 to 1.2.3-RC3 in efforts to do some testing. I noticed 1 thing so far, that all my encryption algorithms are blank/reset, yet all my tunnels came up after about 2 minutes (automatically).
I have 12 tunnels, all but 1 to pfsesne, the 1 to cisco pix. -
So everything has been staying up over the weekend. I'd call it a successful upgrade. The only issue for me was the IPSEC SAs to get the linksys boxes happy. Thanks for the help and suggestions everyone.
;D -
Seems like rekeyforcevpn.inc is no longer available, could anyone kindly post it somewhere else?
Thanks a lot.
-
Seems like rekeyforcevpn.inc is no longer available, could anyone kindly post it somewhere else?
Because it did nothing but generate a broken configuration, so it was removed. It's also not needed.
