IPSEC Site to Site VPN

MichelZ

I also have an occasional tunnel-down for several seconds until it gets back up. Sometimes I have to restart the strongswan service.
IKEv1, main mode, certificates.

I tried to switch to IKEv2, but those tunnels were not coming up at all.
I hope to have some time on the weekend to diagnose this further

sammybernard

I should also add that we looked at the bug in pfsense that relates to "states table" not being cleared / adjusted when interfaces change … we tested with both settings ... ie clearing that states table and not clearing the states table and still no difference. This setting is I think in the Miscellaneous section / advanced settings area. Just thought I'd add that since tunnels still did not get reestablished in either scenario.

covex

ipsec status says that tunnel is established but no traffic is going through. have to disconnect and reconnect the tunnel from the status page every time. 10 other tunnels (2.2 to 2.1.3) are working fine

sammybernard

Just wondering if any of the Developers managed to replicate the problem I described above and if you guys had any insight ???

https://forum.pfsense.org/index.php?topic=87636.msg482884#msg482884

cmb

Seems there are possibly multiple different issues in this thread. One thing to check is make sure you don't have "prefer old SAs" enabled on the advanced tab. That was confirmed to fix multiple systems I worked on last week where there were issues after rekeying. That's rarely been desirable and isn't on by default but seems a number of systems have it enabled and have it configured inconsistently between sides. It's another of those things that probably should have broken pre-upgrade, but changes in behavior with strongswan made it more likely to break.

sammybernard

Thanks cmb … I made sure it was not enabled and still noticing the same problem. Tunnels DO NOT come back on again if I disconnect and reconnect the WAN interface. Still seeing the DPD messages only without any reconnect.

sammybernard

Didn't want to take over someone else's thread as I see the devs want to isolate issues to a thread but just wondering if the devs were able to replicate this issue or had a fix. I see there were no open tickets about this on the bug tracker.

sammybernard

Here is the LOG file. As I previously have mentioned … when my IP address changes from a disconnect/reconnect situation, for some reason that information is not passed onto Charon. As you can see from the logs, charon is till passing the old IP address to the remote site and we get the "error writing to socket: Can't assign requested address"

SAM

sammybernard

For the Devs:

From what I can tell there is some sort of a race condition that is being created. It was described on Stringswan forums too:

https://wiki.strongswan.org/issues/543

https://wiki.strongswan.org/issues/193

sammybernard

Just to update folks on the forum. We have been following this issue for a while and it appears the Devs were finally able to replicate this. Looks like a fix is being tragetted for 2.2.1. You can follow the link below to monitor progress.

https://redmine.pfsense.org/issues/4341