IPSEC tunnels keep going down between 2.0 and 1.2.3

snowspeeder

Every few hours my trunk between my 2.0 and 1.2.3 will go down.

To bring them back up, I login to the 1.2.3 pfsnese and delete the first three SAD keys binding the two together.

They look like this

20.20.20.20 	10.10.10.10 	ESP 	03e87c1c 	3des-cbc 	hmac-md5

The 2.0 logs show this

Apr 1 00:22:05 	racoon: [Lexington]: INFO: ISAKMP-SA deleted 10.10.10.10[500]-20.20.20.20[500] spi:cba1fdb8aa90d7df:0086c5a874dea4d3
Apr 1 00:22:14 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 1 00:22:14 	racoon: INFO: received Vendor ID: DPD
Apr 1 00:22:14 	racoon: [20.20.20.20] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Apr 1 00:22:14 	racoon: [Lexington]: INFO: ISAKMP-SA established 10.10.10.10[500]-20.20.20.20[500] spi:1eb67cdcac0453e4:bcbd5e115b918403
Apr 1 00:22:15 	racoon: [Lexington]: INFO: initiate new phase 2 negotiation: 10.10.10.10[500]<=>20.20.20.20[500]
Apr 1 00:22:15 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=12082165(0xb85bf5)
Apr 1 00:22:15 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=77822915(0x4a37bc3)
Apr 1 00:34:02 	racoon: INFO: purged IPsec-SA proto_id=ESP spi=77822915.
Apr 1 00:34:08 	racoon: [Lexington]: INFO: respond new phase 2 negotiation: 10.10.10.10[500]<=>20.20.20.20[500]
Apr 1 00:34:08 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=65567772(0x3e87c1c)
Apr 1 00:34:08 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=39298724(0x257a6a4)

Please help…

snowspeeder

Bump

alanbryan

I'm seeing the same thing.

We have 3 sites with IPSEC tunnels between them - all were running 1.2.3 and everything was fine.

Upgraded one site to 2.0 RC1 and now the tunnels keep dropping.

In my case, I've been restarting the racoon service on the 2.0 box and then one of the tunnels starts right back up.  I have to ping a host in the other networks for the other to come back alive again.

Ideas?  Need more info?

expert_az

alanbryan i got absolutely same problem ,it works only after restart racoon service on main office's PF 2.0 RC1,ipsec tunnel disconnected overnight.

and same problem between 2.0 RC1 and 2.0 RC1,i have tested both configurations

sullrich

Turn off DPD when using 1.2.3 -> 2.0 most likely.

expert_az

sullrich thank you for reply,

i'm trying with dpf off with pf 1.2.3,i think problem in pf 2.0 RC1 site.I opened new discussion on 2.0 RC1 forum(http://forum.pfsense.org/index.php/topic,35487.0.html) with config and log infos.

But nobody answered yet :(

alanbryan

Thanks Scott!  I've turned of DPD and will report back in a few days on my findings.

expert_az

at last i found my periodically ipsec disconnect problem after researching in redmine,i'm using pptp from home to connect corporate PF 2.0 RC1 firewall.
Same issue as Chris Buechler described in  bug 1421 (http://redmine.pfsense.org/issues/1421),today i noticed that after my pptp disconnect all ipsec tunnels disconnecting.I can supply any log and configs for deeper research.

regards.

alanbryan

DPD off on the 2.0 side doesn't appear to have made any change for us.