Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-To-Site between two pfSense losing connectivity

    Scheduled Pinned Locked Moved IPsec
    6 Posts 4 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itm_2015
      last edited by

      Hi all,

      i have two pfSense (2.2) in a Site-To-Site Scenario. Both sides have static WAN-IPs and are directly connected to the internet (PPPoE). I´m using IKEv2 (see Config).

      There are two subnets on every Side. So i´m using two P2 on one P1-Entry.

      The tunnel is established for more then one day. But then it`s loosing connectivity an doesn´t reconnect. When i restart the IPsec-Service on Side-B, it get online again.

      Here is the latest log:

      Mar 7 07:53:08 	charon: 07[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:08 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:13 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:13 	charon: 07[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:15 	charon: 07[IKE] <con1|99> giving up after 5 retransmits
Mar 7 07:53:15 	charon: 07[IKE] giving up after 5 retransmits
Mar 7 07:53:15 	charon: 07[IKE] <con1|99> peer not responding, trying again (2/3)
Mar 7 07:53:15 	charon: 07[IKE] peer not responding, trying again (2/3)
Mar 7 07:53:15 	charon: 07[IKE] <con1|99> initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:53:15 	charon: 07[IKE] initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:53:15 	charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 7 07:53:15 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:19 	charon: 07[IKE] <con1|99> retransmit 1 of request with message ID 0
Mar 7 07:53:19 	charon: 07[IKE] retransmit 1 of request with message ID 0
Mar 7 07:53:19 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:26 	charon: 07[IKE] <con1|99> retransmit 2 of request with message ID 0
Mar 7 07:53:26 	charon: 07[IKE] retransmit 2 of request with message ID 0
Mar 7 07:53:26 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:27 	charon: 07[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:27 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:37 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:37 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:40 	charon: 15[IKE] <con1|99> retransmit 3 of request with message ID 0
Mar 7 07:53:40 	charon: 15[IKE] retransmit 3 of request with message ID 0
Mar 7 07:53:40 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:43 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:43 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:50 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:50 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:57 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:57 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:59 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:59 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:03 	charon: 15[IKE] <con1|99> retransmit 4 of request with message ID 0
Mar 7 07:54:03 	charon: 15[IKE] retransmit 4 of request with message ID 0
Mar 7 07:54:03 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:54:16 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:16 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:21 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:21 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:27 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:27 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:37 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:37 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:45 	charon: 15[IKE] <con1|99> retransmit 5 of request with message ID 0
Mar 7 07:54:45 	charon: 15[IKE] retransmit 5 of request with message ID 0
Mar 7 07:54:45 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:54:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:49 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:11 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:11 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:26 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:26 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:33 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:33 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:49 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:56 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:56 	charon: 01[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:01 	charon: 01[IKE] <con1|99> giving up after 5 retransmits
Mar 7 07:56:01 	charon: 01[IKE] giving up after 5 retransmits
Mar 7 07:56:01 	charon: 01[IKE] <con1|99> peer not responding, trying again (3/3)
Mar 7 07:56:01 	charon: 01[IKE] peer not responding, trying again (3/3)
Mar 7 07:56:01 	charon: 01[IKE] <con1|99> initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:56:01 	charon: 01[IKE] initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:56:01 	charon: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 7 07:56:01 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:05 	charon: 01[IKE] <con1|99> retransmit 1 of request with message ID 0
Mar 7 07:56:05 	charon: 01[IKE] retransmit 1 of request with message ID 0
Mar 7 07:56:05 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:07 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:07 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:12 	charon: 15[IKE] <con1|99> retransmit 2 of request with message ID 0
Mar 7 07:56:12 	charon: 15[IKE] retransmit 2 of request with message ID 0
Mar 7 07:56:12 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:21 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:21 	charon: 01[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:26 	charon: 01[IKE] <con1|99> retransmit 3 of request with message ID 0
Mar 7 07:56:26 	charon: 01[IKE] retransmit 3 of request with message ID 0
Mar 7 07:56:26 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:29 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:29 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:43 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:43 	charon: 01[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:49 	charon: 01[IKE] <con1|99> retransmit 4 of request with message ID 0
Mar 7 07:56:49 	charon: 01[IKE] retransmit 4 of request with message ID 0
Mar 7 07:56:49 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:57:05 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:05 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:57:27 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:27 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:57:31 	charon: 10[IKE] <con1|99> retransmit 5 of request with message ID 0
Mar 7 07:57:31 	charon: 10[IKE] retransmit 5 of request with message ID 0
Mar 7 07:57:31 	charon: 10[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:57:41 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:41 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:57:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:49 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:07 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:07 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:13 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:13 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:22 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:22 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:30 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:30 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:37 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:37 	charon: 11[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:47 	charon: 11[IKE] <con1|99> giving up after 5 retransmits
Mar 7 07:58:47 	charon: 11[IKE] giving up after 5 retransmits
Mar 7 07:58:47 	charon: 11[IKE] <con1|99> establishing IKE_SA failed, peer not responding</con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99>

      Who can help me?

      Thanks!
      IPSEC.png
      IPSEC.png_thumb
      P1.png
      P1.png_thumb
      P2.png
      P2.png_thumb
      STATUS.png
      STATUS.png_thumb

      1 Reply Last reply Reply Quote 0
      • S
        sammybernard
        last edited by

        This is a bug in Pfsense 2.2. I had previously reported this on my forum post https://forum.pfsense.org/index.php?topic=87636.0

        there is also an open bug report on this: https://redmine.pfsense.org/issues/4341

        You at this point have to simply return to 2.1.5 on both sides. IPSEC IS BROKEN ON 2.2 if you are using PPoE

        1 Reply Last reply Reply Quote 0
        • I
          itm_2015
          last edited by

          Hello Sam,

          thanks for answering!

          What´s about: "Removing interfaces_use from strongswan.conf makes the problem go away."?

          there is also an open bug report on this: https://redmine.pfsense.org/issues/4341

          there is written this is relevated only to Dynamic IPs. I´ve got stativ IPs…..

          Is there a trick to restart ipsec-service by cron? How can i downgrade PF from remote?

          Thanks!

          1 Reply Last reply Reply Quote 0
          • 2
            2chemlud Banned
            last edited by

            @itm_2015:

            H…. How can i downgrade PF from remote?

            Thanks!

            …ooops, maybe easier to set up some openVPN tunnels to bridge the time till it's fixed...

            1 Reply Last reply Reply Quote 0
            • S
              sammybernard
              last edited by

              @itm_2015:

              H…. How can i downgrade PF from remote?

              Thanks!

              Are you using a pfsense appliance ie from Pfsense or Netgate that use a BSD image. They usually have two splices. You can just switch the active splice to the backup splice and reboot. You should be back to the version that was installed prior to upgrading to 2.2.

              1 Reply Last reply Reply Quote 0
              • L
                lexl
                last edited by

                @itm_2015:

                What´s about: "Removing interfaces_use from strongswan.conf makes the problem go away."?

                I had the same problem. Whenever the WAN link got disconnected/reconnected the VPN tunnels did not reconnected.
                Removing the 'interface_use' indeed fixed the problem.
                To remove this key from strongswan.conf I edited /etc/inc/vpn.inc around line 370 there is this:

                {$accept_unencrypted}
                cisco_unity = {$unity_enabled}
                {$ifacesuse}

                I changed this to:

                {$accept_unencrypted}
                cisco_unity = {$unity_enabled}

                {$ifacesuse}

                I also edited the file /var/etc/ipsec/strongswan.conf and commented out the 'interface_use' line.  (gets overwritten when WAN is disconncted).

                This is a hack that worked for me, I have no experience in linux/freebsd and don't know if it has any side effect. Alternative is go back to old version or wait for 2.2.1 update.

                Lex

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.