Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VPN stops working, one endpoint drops ESP/ISPKMP packets

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      drees
      last edited by

      pfSense 2.0.2 on both sides.

      Anyone ever have a situation where one end of the VPN starts dropping IPsec packets (these show up in the filter log) and as a result the VPN stops working?

      A workaround is to manually insert 2 fw rules that explicity allow IPsec packets from the other endpoint, then magically the VPN starts working again.

      So one rule that allows ESP packets from the other endpoint and another rule that allows UDP/500 packets from the other endpoint.

      It seems like perhaps there is some sort of race condition where the appropriate filter rules aren't being added?

      The only factor I can think of is that I've only seen this on clustered/HA pfSense instances which are sharing a CARP IP and that CARP IP is the VPN endpoint…

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        The auto-added VPN rules can be disabled. It can continue to work for potentially a long time after disabling those because of the existing states, then something happens that those states are cleared and it no longer works since that traffic isn't being passed. The only circumstance I've ever seen or heard of missing IPsec rules is when they're disabled. CARP isn't directly related, that's widely done and works fine.

        1 Reply Last reply Reply Quote 0
        • D
          drees
          last edited by

          Ah, that could be it.

          The setting you are referring to is the "Disable all auto-added VPN rules" setting under "System: Advanced: Firewall and NAT"?

          So if that setting is enabled, the specific firewall rules to allow VPN traffic through will not be created, correct?

          Is there a way to see what auto-created rules are generated?

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            @drees:

            Ah, that could be it.

            The setting you are referring to is the "Disable all auto-added VPN rules" setting under "System: Advanced: Firewall and NAT"?

            Yes

            @drees:

            So if that setting is enabled, the specific firewall rules to allow VPN traffic through will not be created, correct?

            Correct.

            @drees:

            Is there a way to see what auto-created rules are generated?

            /tmp/rules.debug

            1 Reply Last reply Reply Quote 0
            • D
              drees
              last edited by

              Thanks!

              So in this particular case when this issue cropped up, I had 2 VPNs drop between 3 pfSense machines.

              FW-A: Single pfSense box
              FW-B: HA pfSense boxes
              FW-C: HA pfSense boxes

              There are 2 IPsec VPNs: 1 between FW-A <-> FW-B and 1 between FW-A <-> FW-C.

              I did find that the "Disable all auto-added VPN rules" was enabled on FW-A and FW-C which is now disabled, but the setting was already disabled on FW-B.

              Looking at /tmp/rules.debug under "VPN Rules" I see rules on both FW-A and FW-C, but none under FW-B. Any idea why? I've double and triple checked the "Disable all auto-added VPN rules" setting and did note that when enabled, a comment under VPN rules is noted as disabled so I know the setting is being noted.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.