How to make ipsec tunnel to be established automatically if dropped?

mephisto

Hi there,

I have a WAN link that once in a while is dropping and the ipsec tunnels drops too, but then I need to manually click on the play button on ipsec status to establish it again.

Is there an option to select to re establish the connection when dropped?

Thanks!

mephisto

I think this is the option for this

Dead Peer Detection Enable DPD

seconds
Delay between requesting peer acknowledgement.

retries
Number of consecutive failures allowed before disconnect.

I'm testing it at the moment, but I would like to ensure for example if I reboot the firewall the tunnels will be re established automatically as well

mephisto

Well that was the option that I was also looking for that we can find on watchguard firewalls:

Send IKE Keep Alive Messages
Keep alive interval seconds

Enable Dead Peer Detection
Maximum DPD attempts
DPD Timeout

Do we have this IKE keep alive messages on pfsense?

luckman212

Was this ever answered definitively? I also have to click the "play" button from time to time. Not sure why. Is there a way to auto-restart the tunnel? (pfSense 2.0.3)

mephisto

@luckman212:

Was this ever answered definitively? I also have to click the "play" button from time to time. Not sure why. Is there a way to auto-restart the tunnel? (pfSense 2.0.3)

No, but it has rarely happened now. I'm alsu using 2.0.3 and so far I don;t remember last time I had to click on "play"

luckman212

I just upgraded a couple of these to 2.0.3
will see how it goes.  working nicely so far  :D

jimp

The tunnel will establish itself when traffic is seen on the tunnel. There are three ways to make that happen:

1. Something behind the firewall sends traffic to the other end of the tunnel.
2. You fill in the "automatically ping host" in the Phase 2 config with an IP inside the other end of the tunnel
3. You click the "connect" button which just sends a ping to an IP in the far side of the Phase 2.

In the case of #2 and #3, it requires the firewall to have an IP address on it that is inside of the local phase 2 network to function.

There isn't really any need to keep the tunnel up in most cases, it will come up on its own when something wants to use it.

luckman212

Ah, didn't know any of that – thanks for the clarification. Good to know about the pings bringing up the tunnel!