Ipsec tunnel stalled if peer ip is updated
-
… until restarting racoon.
DPD is enabled, but racoon didn't recognize, that the other side doesn't respond.
Changing "Proposal Checking" doesn't work.
-
Please provide logs and more through detailed description of your setup.
-
<phase1><ikeid>5</ikeid>
<interface>wan</interface>
<remote-gateway>xxxx.dyndns.org</remote-gateway>
<mode>aggressive</mode>
<myid_type>fqdn</myid_type>
<myid_data>hq1</myid_data>
<peerid_type>fqdn</peerid_type>
<peerid_data>xxxx</peerid_data>
<encryption-algorithm><name>aes</name>
<keylen>128</keylen></encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>3600</lifetime>
<pre-shared-key>xxxxxxxxxxxxxxxxxxxxxxx</pre-shared-key>
<private-key><certref>4cdc19617089e</certref>
<caref><authentication_method>pre_shared_key</authentication_method>
<proposal_check>claim</proposal_check><nat_traversal>off</nat_traversal>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>5</dpd_maxfail></caref></private-key></phase1>
<phase2><ikeid>5</ikeid>
<mode>tunnel</mode>
<localid><type>network</type><address>10.19.0.0</address>
<netbits>22</netbits></localid>
<remoteid><type>network</type><address>192.168.1.0</address>
<netbits>24</netbits></remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option><name>aes</name>
<keylen>128</keylen></encryption-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>5</pfsgroup>
<lifetime>3600</lifetime>
<pinghost>192.168.1.1</pinghost></phase2> -
Is it a pfSense to pfSense VPN? If it is not a pfSense box on the other end try disabling DPD.
Also check System-Advanced-Misc if you enabled the 'Prefer older IPsec SAs' checkbox…Also ermal meant logfile outputs, not the config...
-
First i had to collect new logfiles.
Prefer older IPsec SAs is disabled.I'm using a bintec R1200 and DPD works. I have 10 more bintec routers, which work perfect if no ip changes.
15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: received request sequence 447
15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: sent response sequence 447If i restart the DSL (to get new IP) on the bintec the bintec tries to connect to the pfsense.
The pfsense log:
racoon: [peer1]: WARNING: remote address mismatched. db=79.202.115.217[500], act=84.168.159.32[500]
racoon: ERROR: couldn't find configuration.But the pfsense didn't recognice the missing response on DPD and don't try to connect the bintec.
I think the pfsense never tries to connect the bintec.
-
Now i deleted the peer address on the bintec. So it can not connect to the pfsense.
If i reset the ipsec tunnel the sas on the pfsense are deleted and the tunnel is reconnected.
But if i reset the dsl interface the sa are not deleted and the pfsense didn't try to connect.Dec 6 16:21:55 racoon: [peer1]: WARNING: remote address mismatched. db=84.168.159.32[500], act=84.168.184.54[500]
Dec 6 16:22:01 last message repeated 3 times
Dec 6 16:22:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 178.26.171.103[500]-84.168.159.32[500] spi:4f16c0ea903cc9b3:947e20042effbb12
Dec 6 16:22:02 racoon: INFO: DPD: remote (ISAKMP-SA spi=4f16c0ea903cc9b3:947e20042effbb12) seems to be dead.
Dec 6 16:22:03 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 178.26.171.103[500]-84.168.159.32[500] spi:4f16c0ea903cc9b3:947e20042effbb12If i enable the bintec to connect the pfsense i get:
racoon: ERROR: couldn't find configuration -
Do you have any entry similar to this in logs?
'Reloading IPsec tunnel' etc…....... -
Sorry, I don't have such nice things.