IPSEC Connections in 2.2.3 fail after a couple of days.
-
The bulk of this was a result of WAN flapping, every time it goes down and comes back up it forces rekey of IPsec, which drops it for a period of time. Rinse and repeat with repeated WAN failures, and they don't stay up for long. Once the connection stabilized, most of the VPNs have been fine. The ones that aren't, I'm not sure they should be up. Seems the remote isn't responding on a few of them.
-
I agree that the flapping is the cause of the problem. And I also agree that the log reports that the connections at the other end are not responding.
However this morning, the status looked like the first screen shot - with 5 or more remote ends that have been unresponsive for more than 2 days. And the log reported that the other end of the connection is down and not responding.
After a reboot of this end, all of the connections are restored and working. Since this has been happening exactly this way for several days I think we can rule out a simultaneous miracle at the remote ends. ;-) Its as if pfsense just gets tired of trying to make the connection and flags them as being down.
 -
I'm running an IPSEC tunnel between two 2.2.4 systems, one is a Netgate RCC-VE 2440 and the other is a dedicated Dell PowerEdge R220. They are both directly connected to the Internet. On startup, the tunnel is established immediately and performs really well for about three days. Then the tunnel disconnects and only a restart of the Dell machine will enable the tunnel to connect again.
I did notice an interesting sign of trouble on the R220 server - when the tunnel drops, the SPD table is blank. It's normal for the SAD table to be empty when there's no connection but I've never seen the SPD completely blank. Otherwise all of the other settings in the GUI appear normal. The IPSEC log on the Netgate side shows that the remote peer stops responding.
~Ed
-
One thing that I should have noticed and reported previously is that with 2.2.4, when the problem occurs, stopping IPSEC from the GUI reports that IPSEC is stopped, but the status always remains as running (no red X). The log merely reports: php-fpm[31554]: /status_services.php: Forcefully reloading IPsec. No error message is generated and IPSEC status does not change. After a reboot, stopping the service results in a red X, the same message in the log and IPSEC is truly stopped.
-
One thing that I should have noticed and reported previously is that with 2.2.4, when the problem occurs, stopping IPSEC from the GUI reports that IPSEC is stopped, but the status always remains as running (no red X). The log merely reports: php-fpm[31554]: /status_services.php: Forcefully reloading IPsec. No error message is generated and IPSEC status does not change. After a reboot, stopping the service results in a red X, the same message in the log and IPSEC is truly stopped.
Interesting, I'm seeing the same "doesn't stop" behavior although my "symptoms" are different. I'm passing traffic with several SAs over a tunnel, but I'm unable to bring up additional SAs across that same tunnel. I haven't tried a pfsense reboot to see if that clears things up, but now I suspect it might (since I've had this work correctly in the past even with the mess that is strongswan).
It's been enough of a pain in my rear that I picked up an EdgeRouter Lite and have been toying with the idea of using it for VPN duties while keeping pfsense as my main router (simply because EdgeOS is still not as nice to use through a GUI and I don't feel like learning Vyatta more than I'd need to setup the VPN :P)
-
I agree that this IPSEC problem is a real pain at the moment, but for the last 7 or so years I've never had a problem with PFSense that lasted more than a day. I have 20 + installations and no desire to change, so I'll hang in for a while - I'm sure once the issues with StrongsWan are resolved it will be another 7 trouble-free years. And if the problem drags out I could always just move everything to OPENVPN.
-
Unfortunately if you are running a tunnel with another vendor chances are you'll be stuck with IPSec. My tunnels have been pretty much stable with 2.2.4 but the memory leak issue is a major pain right now. Strongswan is way better now then it was in the first 2.2 releases.
-
For what it is worth, I got tired of restarting PFSense every third day. I installed last weekend's 2.2.5 snapshot and IPSEC has been stable for the whole week. I'm not sure looking through the list what change was responsible, but it is a relief to have IPSEC working again.
-
I celebrated too soon. It took 6 days before IPSEC failed. The IPSEC task can't be stopped or restarted, only solution is to reboot pfsense.
-
The problem still exists in 2.2.5. Upgraded from the Development stream to the production version on Friday and today the tunnels are inoperative and can not be restarted. The IPSEC task can not be stopped from the GUI or from the command line and the only option is to reboot pfsense.