IPSEC tunnel drops down 2.2-RC (i386) built on Mon Jan 05 16:32:22 CST 2015

Clouseau

After upgrade from 2.1.5 to 2.2-RC (i386) built on Mon Jan 05 16:32:22 CST 2015
The ipsec VPN does not stay up.

On 2.1.5 ipsec just worked, but now it drops down all the time. It may stay up a full hour, but usually it drops dead before that and does not reconnect. Logs does not give me a good hint or I have missed that log entry when connection fails/drops. I'll try to catch that moment from logs.

I have regenerated and saved all the Phase 1 and Phase 2 settings for the connection (both ends: site A and B)

Just can't fin anything wrong - is there biger problems in ipsec in RC version still?

Below my site-to-site VPN tunnel configuration:

–--------------------- SITE A PHASE 1 –-------------------------
General information

Key Exchange version V1

Internet Protocol IPv4

Interface WAN

Remote gateway 222.222.222.222
Description SITE B

Phase 1 proposal (Authentication)
Authentication method Mutual PSK

Negotiation mode Main

My identifier My IP Address
Peer identifier Peer IP Address
Pre-Shared Key **********************

Phase 1 proposal (Algorithms)
Encryption algorithm AES 256bit
Hash algorithm SHA1

DH key group 2(1024bit)

Lifetime 28800 seconds

Advanced Options

NAT Traversal Auto

Dead Peer Detection Enabled DPD

seconds 10
Delay between requesting peer acknowledgement.

retries 10
Number of consecutive failures allowed before disconnect.

–---------------  SITE A PHASE 2 –-------------------------
Phase2 entry

Mode Tunnel IPv4
Local Network Lan Subnet

Remote Network
Type: Network
Address: 192.168.1.0/24
Description Site B

Phase 2 proposal (SA/Key Exchange)
Protocol ESP

Encryption algorithms
AES  256bit

Hash algorithms
SHA1

PFS key group 2 (1025bit)
Lifetime 3600 seconds

Advanced Options
Automatically ping host 192.168.1.1 IP address
–--------------------------------------------------------

----------------------- SITE B PHASE 1 –-------------------------
General information

Key Exchange version V1

Internet Protocol IPv4

Interface WAN

Remote gateway 111.111.111.111
Description SITE A

Phase 1 proposal (Authentication)
Authentication method Mutual PSK

Negotiation mode Main

My identifier My IP Address
Peer identifier Peer IP Address
Pre-Shared Key **********************

Phase 1 proposal (Algorithms)
Encryption algorithm AES 256bit
Hash algorithm SHA1

DH key group 2(1024bit)
Lifetime 28800 seconds

Advanced Options

NAT Traversal Auto

Dead Peer Detection Enabled DPD

seconds 10
Delay between requesting peer acknowledgement.

retries 10
Number of consecutive failures allowed before disconnect.

–---------------  SITE B PHASE 2 –-------------------------
Phase2 entry

Mode Tunnel IPv4
Local Network Lan Subnet

Remote Network
Type: Network
Address: 192.168.0.0/24
Description Site A

Phase 2 proposal (SA/Key Exchange)
Protocol ESP

Encryption algorithms
AES  256bit

Hash algorithms
SHA1
PFS key group 2 (1025bit)
Lifetime 3600 seconds

Advanced Options
Automatically ping host 192.168.0.1 IP address
–--------------------------------------------------------

eri--

Can you please upgrade to the latest snapshot of today and see if it is fixed?

Clouseau

Did not help - but I changed IKEv1 to IKEv2 and now it has been stable and up for whole day.

eri--

I just noticed that you have i386 snapshot.
It is just building that with the new version of strongswan.

so if you have the possibility of trying that with a new snapshot that will come out and IKEv1 it would be good to know.

Clouseau

I will do that test for you!

Clouseau

Testing:
2.2-RC (i386)
built on Wed Jan 07 18:25:08 CST 2015

IKEv1: tunnel drops still down and there is no Active tunnels shown in widged. Even it shows that no active tunnels - the tunnel works. Gateway widged shows huge latency for the other end of the tunnel and the value does not change at all.

Moving back to IKEv2


eri--

Yeah the important is that the tunnels works.
Yesterday there were some fixes done for functionality.

Hopefully today everything related to dashboard etc will be fixed aswell.