Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec fails to renegotiate after loss of a peer

    Scheduled Pinned Locked Moved IPsec
    71 Posts 15 Posters 66.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ Offline
      jimp Rebel Alliance Developer Netgate
      last edited by

      You know, I don't remember checking that but it is set.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • B Offline
        bkm
        last edited by

        I restarted racoon today when all of my tunnels were up. It only took about 3 minutes for 9 tunnels to come back. This was not the case when the tunnels had died on their own. I'm guessing that some state or SAD was probably not letting itself get terminated. I'll post again if I have any new info.

        1 Reply Last reply Reply Quote 0
        • N Offline
          netmethods
          last edited by

          I just ran fetch -o /etc/inc/vpn.inc rekeyforcevpn.inc, restarted racoon and the service would no longer start. Since I needed these tunnels back up and running, I just reinstalled 1.2.3-rc3 and things came back up.

          Not sure if it's something I did or an issue with the script.

          2x Nexcom 1088n8 in HA config
          2.4 GHz Quad Core / 4GB DDR2 / SATAII 160GB / 4x1GB Intel module

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            @netmethods:

            I just ran fetch -o /etc/inc/vpn.inc rekeyforcevpn.inc, restarted racoon and the service would no longer start.

            I'll admit I didn't test it, but it's a simple one line config change that per the racoon man page is correct. What did your logs show?

            1 Reply Last reply Reply Quote 0
            • N Offline
              netmethods
              last edited by

              To be honest, I didn't even look. It was already late and I didn't have the energy to troubleshoot it when I figured just a quick reload of the firmware would fix it. I just tried running clog /var/log/ipsec.log in Diag>Command, but I didn't see anything relevant.

              2x Nexcom 1088n8 in HA config
              2.4 GHz Quad Core / 4GB DDR2 / SATAII 160GB / 4x1GB Intel module

              1 Reply Last reply Reply Quote 0
              • F Offline
                focalguy
                last edited by

                Well, I moved over almost every location this morning so there are now 25 tunnels up and running for about 6 hours. No VPN issues so far and each phase 2 lifetime is set to 3600 seconds. I'll hold off final judgment for a few more days but so far so good with 1.2.3-RC3 and all the devices I previously mentioned.

                1 Reply Last reply Reply Quote 0
                • D Offline
                  DWAyotte
                  last edited by

                  I updated from 1.2.2 to 1.2.3-RC3 in efforts to do some testing. I noticed 1 thing so far, that all my encryption algorithms are blank/reset, yet all my tunnels came up after about 2 minutes (automatically).
                  I have 12 tunnels, all but 1 to pfsesne, the 1 to cisco pix.

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    focalguy
                    last edited by

                    So everything has been staying up over the weekend. I'd call it a successful upgrade. The only issue for me was the IPSEC SAs to get the linksys boxes happy. Thanks for the help and suggestions everyone.
                    ;D

                    1 Reply Last reply Reply Quote 0
                    • F Offline
                      fabioc
                      last edited by

                      Seems like rekeyforcevpn.inc is no longer available, could anyone kindly post it somewhere else?

                      Thanks a lot.

                      1 Reply Last reply Reply Quote 0
                      • C Offline
                        cmb
                        last edited by

                        @fabioc:

                        Seems like rekeyforcevpn.inc is no longer available, could anyone kindly post it somewhere else?

                        Because it did nothing but generate a broken configuration, so it was removed. It's also not needed.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.