Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnel will be reconnected every day

    Scheduled Pinned Locked Moved IPsec
    20 Posts 6 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Sorry for jumping in here but something is not really clear to me, based on the logfiles and statements.

      Feb 15 01:50:03    check_reload_status: Restarting OpenVPN tunnels/interfaces

      So OpenVPN is used here in that case

      Feb 15 01:50:03    check_reload_status: Restarting ipsec tunnels

      Is OpenVPN using here an IPSec tunnel? In normal as I know it, you will be using OpenVPn or IPSec,
      is this right or am I wrong with this?

      Feb 15 01:50:03    check_reload_status: updating dyndns GATEWAY

      And if a public static IP address is there in use, why then using DynDNS?

      Sorry for this nOOp questions, but I am interested in this case really.

      1 Reply Last reply Reply Quote 0
      • F
        FCNiklas
        last edited by

        Hi BlueKobold,

        we don't use OpenVPN on the PFSense. We only use IPSec.
        I don't know, why it will be displayed in the logs.

        The same is the gateway. We have a static public IP address
        and don't use a dyndns gateway.

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          we don't use OpenVPN on the PFSense. We only use IPSec.
          I don't know, why it will be displayed in the logs.

          The same is the gateway. We have a static public IP address
          and don't use a dyndns gateway.

          Oh ok thank you for providing this information, I was a little bit confused on this entries and was
          not really able what I should think on, thanks again for the clarification on this.

          I have another one for you, you where telling us that all was running fine for you and also
          the VPN connections before upgrading to a higher pfSense version, is this right? Perhaps,
          only perhaps I mean you or somebody was doing or making custom set up entries and after
          the update or upgrade was done all files was new written and this custom made settings were
          gone. And now the set up is not really fine working because the custom entries are not there.

          Could this be?

          1 Reply Last reply Reply Quote 0
          • F
            FCNiklas
            last edited by

            No problem BlueKobold. Thanks for your response.

            Yes you are right. Before the upgrade to version 2.2.6,
            the PFSense was fine. We only have upgraded the PFSense
            to the latest version, but didn't changed anything in the configuration.

            After the upgrade the IPSec tunnel was disconnect every two
            days in the morning and the detection of the gateway had also
            a delay.

            Now i try to find out, if the latest version of PFSense has a bug
            or the modem of the ISP is defect. But i still think that the
            PFSense has a bug, because the IPSec issue did not occur
            in the versions before.

            Has anyone the same issue with IPSec in the latest version?

            1 Reply Last reply Reply Quote 0
            • M
              MaxHeadroom
              last edited by

              Hi,

              in my log it's look the same, apinger warn with  delay when there is a high throuput on wan if
              also ipsec restart on a aping delay but comes up again

              regards max

              1 Reply Last reply Reply Quote 0
              • F
                FCNiklas
                last edited by

                Hi Max,

                Thanks for your reply.

                Do you have this issues also with version 2.2.6?
                If yes, it would be interesting to know how you
                got it fixed.

                Thanks and best regards,
                Niklas

                1 Reply Last reply Reply Quote 0
                • M
                  MaxHeadroom
                  last edited by

                  Hi FCNiklas,

                  yes runnning  on 2.2.6. For me it's not a big problem because of using ipsec tunnel very less.

                  I think the problem will gone if
                  System: Gateways: Edit gateway
                  Disable Gateway Monitoring  <- if not required because of fixed wan ip & no failover gateway

                  or

                  tuning the parameters "Advanced"

                  regards

                  max

                  1 Reply Last reply Reply Quote 0
                  • F
                    FCNiklas
                    last edited by

                    Hi Max,

                    thanks for the information.

                    I have checked both PFSense firewalls and found out that
                    the option "Disable Gateway Monitoring" is not checked on
                    both Firewalls.

                    If i understand it correctly, the option only means that the
                    WAN IP will not be monitored again. That would be a workaround
                    to get no warnings in the system logs, but the issue would not fixed
                    by this.

                    What do you also mean with tuning the parameters "Advanced"?

                    Thanks for your help in advance.

                    Best regards,
                    Niklas

                    1 Reply Last reply Reply Quote 0
                    • ?
                      Guest
                      last edited by

                      In the IPSec VPN settings is there enabled MSS clamping?

                      1 Reply Last reply Reply Quote 0
                      • F
                        FCNiklas
                        last edited by

                        Hi BlueKobold,

                        no MSS clamping is not enabled on both PFSense Firewalls.

                        Has it something to do with the restart of the ipscec service?

                        It seems that the ipsec tunnel restarts more than before.

                        Here are the gateway logs again:

                        Feb 29 04:08:35 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 29 04:08:25 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 29 04:03:02 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 29 04:02:52 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 28 22:34:14 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 28 22:34:04 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 28 21:43:20 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 28 21:43:10 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 28 21:38:28 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
                        Feb 28 21:38:19 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***

                        … and the general logs:

                        Feb 29 04:08:52 php-fpm[87448]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 29 04:08:47 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 29 04:08:45 check_reload_status: Reloading filter
                        Feb 29 04:08:45 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 29 04:08:45 check_reload_status: Restarting ipsec tunnels
                        Feb 29 04:08:45 check_reload_status: updating dyndns GATEWAY
                        Feb 29 04:08:37 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 29 04:08:35 check_reload_status: Reloading filter
                        Feb 29 04:08:35 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 29 04:08:35 check_reload_status: Restarting ipsec tunnels
                        Feb 29 04:08:35 check_reload_status: updating dyndns GATEWAY
                        Feb 29 04:03:29 php-fpm[31063]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 29 04:03:28 check_reload_status: Reloading filter
                        Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 29 04:03:20 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 29 04:03:19 check_reload_status: Reloading filter
                        Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 29 04:03:14 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 29 04:03:12 check_reload_status: Reloading filter
                        Feb 29 04:03:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 29 04:03:12 check_reload_status: Restarting ipsec tunnels
                        Feb 29 04:03:12 check_reload_status: updating dyndns GATEWAY
                        Feb 29 04:03:04 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 29 04:03:02 check_reload_status: Reloading filter
                        Feb 29 04:03:02 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 29 04:03:02 check_reload_status: Restarting ipsec tunnels
                        Feb 29 04:03:02 check_reload_status: updating dyndns GATEWAY
                        Feb 28 22:34:41 php-fpm[84783]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 28 22:34:40 check_reload_status: Reloading filter
                        Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 28 22:34:32 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 28 22:34:31 check_reload_status: Reloading filter
                        Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 28 22:34:26 php-fpm[83939]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 22:34:24 check_reload_status: Reloading filter
                        Feb 28 22:34:24 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 28 22:34:24 check_reload_status: Restarting ipsec tunnels
                        Feb 28 22:34:24 check_reload_status: updating dyndns GATEWAY
                        Feb 28 22:34:17 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 22:34:14 check_reload_status: Reloading filter
                        Feb 28 22:34:14 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 28 22:34:14 check_reload_status: Restarting ipsec tunnels
                        Feb 28 22:34:14 check_reload_status: updating dyndns GATEWAY
                        Feb 28 21:43:47 php-fpm[79683]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 28 21:43:46 check_reload_status: Reloading filter
                        Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 28 21:43:38 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 28 21:43:37 check_reload_status: Reloading filter
                        Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 28 21:43:32 php-fpm[78791]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:43:30 check_reload_status: Reloading filter
                        Feb 28 21:43:30 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 28 21:43:30 check_reload_status: Restarting ipsec tunnels
                        Feb 28 21:43:30 check_reload_status: updating dyndns GATEWAY
                        Feb 28 21:43:22 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:43:20 check_reload_status: Reloading filter
                        Feb 28 21:43:20 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 28 21:43:20 check_reload_status: Restarting ipsec tunnels
                        Feb 28 21:43:20 check_reload_status: updating dyndns GATEWAY
                        Feb 28 21:38:56 php-fpm[32154]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 28 21:38:55 check_reload_status: Reloading filter
                        Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 28 21:38:47 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
                        Feb 28 21:38:46 check_reload_status: Reloading filter
                        Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                        Feb 28 21:38:41 php-fpm[30309]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:38:38 check_reload_status: Reloading filter
                        Feb 28 21:38:38 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 28 21:38:38 check_reload_status: Restarting ipsec tunnels
                        Feb 28 21:38:38 check_reload_status: updating dyndns GATEWAY
                        Feb 28 21:38:31 php-fpm[89447]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
                        Feb 28 21:38:29 check_reload_status: Reloading filter
                        Feb 28 21:38:29 check_reload_status: Restarting OpenVPN tunnels/interfaces
                        Feb 28 21:38:29 check_reload_status: Restarting ipsec tunnels
                        Feb 28 21:38:29 check_reload_status: updating dyndns GATEWAY

                        Its a very strange issue and it is inexplicable to me, what causes this issue,
                        because we haven't changed anything at the configuration of the IPSec settings.

                        Thanks in advance and best regards,
                        Niklas

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by

                          Not installing NAT reflection rules for a port range > 500
                          

                          Something is trying to get from the internal LAN through the WAN interface to connect in
                          the DMZ or LAN homed Servers and there are no rules for NAT reflection (Hairpin NAT)
                          could this be a problem too?

                          IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
                          

                          Is there in the other LAN perhaps something likes an enabled DHCP Server that is giving
                          new IP addresses to servers or other devices that should be sorted more with static IP addresses?

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.