IPSEC stops working after a couple hours
-
I've used the same setup for several years without issue but the latest update must have changed something. Every couple hours my site-to-site VPN quits working. If I disable IPSEC for a minute or two and enable it everything works again. I can't see any obvious config errors. Any suggestions where to start? The far end is an Adtran router if that makes a difference.
-
Hi!
Have a look:
https://firstlook.org/theintercept/document/2014/03/12/vpn-voip-exploitation-hammerchant-hammerstein/
…maybe your NSA exploit needs an update...
-
I've been fighting this as well and it just started happening in the 2.2.1-RELEASE update. The connection shows up as connected in the status: IPsec page, but I can't ping the other end, and the other end can't ping me. It seems to happen when the connection gets a second entry in the "Child SA" section. If I expand that entry and delete the bottom entry, the connection immediately comes back and I can ping from both ends of the tunnel again.
I'm not too familiar with how IPsec operates, so I've been trying to muck about with logging to figure out what is happening, but I presume it's some kind of bug given it worked flawlessly on 2.2.
-
Looks like this issue:
https://forum.pfsense.org/index.php?topic=88293.0It is not yet solved - besides other IPsec issues like this one:
https://forum.pfsense.org/index.php?topic=87946.0Both issues together are unfortunately a show stopper for IPsec under pfSense. I am glad with OpenVPN: It's stable and easier to configure.
Regards,
Peter -
I too have this problem using IPsec and the Shrewsoft VPN access manager. couldn't find a solution either, hope there will be a fix soon.
@pvoigt, I beg to differ, I tried OpenVPN and even though I don't know if there's an easier way to set it up than in the pfSense Wiki guide, I didn't have to create any Certificates / Authorities and copy them to my local pc.
This however may come at the price of not beeing as secure, but openvpn seemed not easy at all to me.
-
i see the same issue on 2.2 and a bit skeptical flashing over to 2.2.1 and just downgrading back to 2.1.5 as it's working fine for me.
tunnel shows that it's online but no ping response. restarting the service brings everything back up. -
I'm trying out changing out to IKEv2, as per https://forum.pfsense.org/index.php?topic=90999.0
Will see in a day or so if it's any happier… -
I've IPSEC running between 6 sites (all pfsense and no issues whatsoever)
What phase1 and phase 2 settings are u using on both devices? -
What version are you running? Site to Site Tunnels were rock solid in 2.2, but in 2.2.1 they are causing some of us problems, typically when the re-keying occurs.
-
if you started having rekeying issues with 2.2.1, the fix is here:
https://forum.pfsense.org/index.php?topic=91627.0 -
@cmb:
if you started having rekeying issues with 2.2.1, the fix is here:
https://forum.pfsense.org/index.php?topic=91627.0That didn't fix it for me.
-
Hi charlien,
does your issue look like this?
https://forum.pfsense.org/index.php?topic=91020.0
Many Phase II tunnels for only a single SA? Phase I established? No data went through?