VPN Unreliable since upgrade to V2.2
-
Yeah - There has been lots of IPSEC issues but people seem to have fixes. I'm sure one will be along shortly.
-
Pretty clear it was IPsec, given we're on the IPsec board, and that's what charon does. :)
uk26: could you get me into that system to dig into it further? PM me and we can arrange something.
-
Oooooooooppppsss.
-
Hi,
I have noticed when the issue appears there is then an established connection and a connecting connection for the same vpn link. restarting it removes the duplicate and then the vpn will time out for a few minutes and then the duplicate is back again.
-
Are your lifetimes matching on both sides?
Are the DPD timers low? -
I was able to go through this with uk26 and found a couple potential issues, and an explanation for the "peer not responding" in the logs there.
The Draytek on the opposite side of the affected IPsec connection was configured as initiator-only. So when the pfSense side was trying to initiate the connection, the Draytek just ignored it (as it was configured to do).
What happened in the drop in that particular instance is the Draytek sent a delete for the child SA, and then waited near 10 seconds to initiate a new child SA. strongswan was attempting to do that before the active SA was deleted, so the connection would stay up, but since the Draytek was configured not to reply it just timed out over and over trying to bring up a new SA to keep the connection up. When the Draytek kicked off negotiation about 10 seconds after it told strongswan to delete the existing SA, it was successful, and came back up.
The logs from the Draytek from that time period weren't available, so we only have half the story from that instance. It's now logging to another machine in case any problems come back up.
The Draytek was also configured to use 10.0.0.254/24 rather than 10.0.0.0/24. Though there weren't any indications that was causing any issues, it's technically incorrect and was changed to 10.0.0.0/24 to match what's on the pfSense side.
I suspect now that the Draytek is configured to be either initiator or responder that this issue will go away. Why there was a behavior change between racoon and strongswan there I'm not sure.
uk26 - follow up and let us know how things are going.
-
so far seems ok. getting the odd packet loss over the VPN link. ping external IP of PFsense and no packet loss.
will keep monitoring
-
I am also facing major issues with IPSec since upgrading from 2.1.5 to 2.2
I have a tunnel between our office and our cloud provider with 5 phase 2 entries. It is configured with PSK, 3DES, SHA1 and DH Group 2.
It is completely random which of the 5 will work and even sometimes all 5 work together but very seldom. Stopping and starting IPSec sometimes has an effect on which links are up and which are down. HAving the link up does not guarantee that it will work though. Links show up but no traffic goes over them. I have tried to remove everything and reconfigure it again but still no luck.
Just to give some additional information, it is running on a Supermicro D525 on a USB since the new OS will not install to the discs. Tried every option in the Bios but after formatting and setting volumes it fails with Error Code 19. Only way to get it back was to run it off USB. So all in all a very bad experience upgrading to 2.2
Let me know what information I need to send for the IPSec debugging. Major issue for me right now.
I have 2 other boxes (different HW) all running fine in other offices around the world, but unfortunately this is our main office and 24 hours of broken internet so far!
-
I am also facing major issues with IPSec since upgrading from 2.1.5 to 2.2
Start your own topic please.
-
The option to control the behaviour as a responder only will be on 2.2.1