IPSec tunnel will be reconnected every day

Guest

Sorry for jumping in here but something is not really clear to me, based on the logfiles and statements.

Feb 15 01:50:03    check_reload_status: Restarting OpenVPN tunnels/interfaces

So OpenVPN is used here in that case

Feb 15 01:50:03    check_reload_status: Restarting ipsec tunnels

Is OpenVPN using here an IPSec tunnel? In normal as I know it, you will be using OpenVPn or IPSec,
is this right or am I wrong with this?

Feb 15 01:50:03    check_reload_status: updating dyndns GATEWAY

And if a public static IP address is there in use, why then using DynDNS?

Sorry for this nOOp questions, but I am interested in this case really.

FCNiklas

Hi BlueKobold,

we don't use OpenVPN on the PFSense. We only use IPSec.
I don't know, why it will be displayed in the logs.

The same is the gateway. We have a static public IP address
and don't use a dyndns gateway.

Guest

we don't use OpenVPN on the PFSense. We only use IPSec.
I don't know, why it will be displayed in the logs.

The same is the gateway. We have a static public IP address
and don't use a dyndns gateway.

Oh ok thank you for providing this information, I was a little bit confused on this entries and was
not really able what I should think on, thanks again for the clarification on this.

I have another one for you, you where telling us that all was running fine for you and also
the VPN connections before upgrading to a higher pfSense version, is this right? Perhaps,
only perhaps I mean you or somebody was doing or making custom set up entries and after
the update or upgrade was done all files was new written and this custom made settings were
gone. And now the set up is not really fine working because the custom entries are not there.

Could this be?

FCNiklas

No problem BlueKobold. Thanks for your response.

Yes you are right. Before the upgrade to version 2.2.6,
the PFSense was fine. We only have upgraded the PFSense
to the latest version, but didn't changed anything in the configuration.

After the upgrade the IPSec tunnel was disconnect every two
days in the morning and the detection of the gateway had also
a delay.

Now i try to find out, if the latest version of PFSense has a bug
or the modem of the ISP is defect. But i still think that the
PFSense has a bug, because the IPSec issue did not occur
in the versions before.

Has anyone the same issue with IPSec in the latest version?

MaxHeadroom

Hi,

in my log it's look the same, apinger warn with  delay when there is a high throuput on wan if
also ipsec restart on a aping delay but comes up again

regards max

FCNiklas

Hi Max,

Thanks for your reply.

Do you have this issues also with version 2.2.6?
If yes, it would be interesting to know how you
got it fixed.

Thanks and best regards,
Niklas

MaxHeadroom

Hi FCNiklas,

yes runnning  on 2.2.6. For me it's not a big problem because of using ipsec tunnel very less.

I think the problem will gone if
System: Gateways: Edit gateway
Disable Gateway Monitoring  <- if not required because of fixed wan ip & no failover gateway

or

tuning the parameters "Advanced"

regards

max

FCNiklas

Hi Max,

thanks for the information.

I have checked both PFSense firewalls and found out that
the option "Disable Gateway Monitoring" is not checked on
both Firewalls.

If i understand it correctly, the option only means that the
WAN IP will not be monitored again. That would be a workaround
to get no warnings in the system logs, but the issue would not fixed
by this.

What do you also mean with tuning the parameters "Advanced"?

Thanks for your help in advance.

Best regards,
Niklas

Guest

In the IPSec VPN settings is there enabled MSS clamping?

FCNiklas

Hi BlueKobold,

no MSS clamping is not enabled on both PFSense Firewalls.

Has it something to do with the restart of the ipscec service?

It seems that the ipsec tunnel restarts more than before.

Here are the gateway logs again:

Feb 29 04:08:35 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 29 04:08:25 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 29 04:03:02 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 29 04:02:52 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 22:34:14 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 22:34:04 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:43:20 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:43:10 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:38:28 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:38:19 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***

… and the general logs:

Feb 29 04:08:52 php-fpm[87448]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 29 04:08:47 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:08:45 check_reload_status: Reloading filter
Feb 29 04:08:45 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:08:45 check_reload_status: Restarting ipsec tunnels
Feb 29 04:08:45 check_reload_status: updating dyndns GATEWAY
Feb 29 04:08:37 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:08:35 check_reload_status: Reloading filter
Feb 29 04:08:35 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:08:35 check_reload_status: Restarting ipsec tunnels
Feb 29 04:08:35 check_reload_status: updating dyndns GATEWAY
Feb 29 04:03:29 php-fpm[31063]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 29 04:03:28 check_reload_status: Reloading filter
Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 29 04:03:20 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 29 04:03:19 check_reload_status: Reloading filter
Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 29 04:03:14 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:12 check_reload_status: Reloading filter
Feb 29 04:03:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:03:12 check_reload_status: Restarting ipsec tunnels
Feb 29 04:03:12 check_reload_status: updating dyndns GATEWAY
Feb 29 04:03:04 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:02 check_reload_status: Reloading filter
Feb 29 04:03:02 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:03:02 check_reload_status: Restarting ipsec tunnels
Feb 29 04:03:02 check_reload_status: updating dyndns GATEWAY
Feb 28 22:34:41 php-fpm[84783]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 22:34:40 check_reload_status: Reloading filter
Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 22:34:32 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 22:34:31 check_reload_status: Reloading filter
Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 22:34:26 php-fpm[83939]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:24 check_reload_status: Reloading filter
Feb 28 22:34:24 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 22:34:24 check_reload_status: Restarting ipsec tunnels
Feb 28 22:34:24 check_reload_status: updating dyndns GATEWAY
Feb 28 22:34:17 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:14 check_reload_status: Reloading filter
Feb 28 22:34:14 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 22:34:14 check_reload_status: Restarting ipsec tunnels
Feb 28 22:34:14 check_reload_status: updating dyndns GATEWAY
Feb 28 21:43:47 php-fpm[79683]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:43:46 check_reload_status: Reloading filter
Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:43:38 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:43:37 check_reload_status: Reloading filter
Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:43:32 php-fpm[78791]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:30 check_reload_status: Reloading filter
Feb 28 21:43:30 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:43:30 check_reload_status: Restarting ipsec tunnels
Feb 28 21:43:30 check_reload_status: updating dyndns GATEWAY
Feb 28 21:43:22 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:20 check_reload_status: Reloading filter
Feb 28 21:43:20 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:43:20 check_reload_status: Restarting ipsec tunnels
Feb 28 21:43:20 check_reload_status: updating dyndns GATEWAY
Feb 28 21:38:56 php-fpm[32154]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:38:55 check_reload_status: Reloading filter
Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:38:47 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:38:46 check_reload_status: Reloading filter
Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:38:41 php-fpm[30309]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:38 check_reload_status: Reloading filter
Feb 28 21:38:38 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:38:38 check_reload_status: Restarting ipsec tunnels
Feb 28 21:38:38 check_reload_status: updating dyndns GATEWAY
Feb 28 21:38:31 php-fpm[89447]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:29 check_reload_status: Reloading filter
Feb 28 21:38:29 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:38:29 check_reload_status: Restarting ipsec tunnels
Feb 28 21:38:29 check_reload_status: updating dyndns GATEWAY

Its a very strange issue and it is inexplicable to me, what causes this issue,
because we haven't changed anything at the configuration of the IPSec settings.

Thanks in advance and best regards,
Niklas

Guest

Not installing NAT reflection rules for a port range > 500

Something is trying to get from the internal LAN through the WAN interface to connect in
the DMZ or LAN homed Servers and there are no rules for NAT reflection (Hairpin NAT)
could this be a problem too?

IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.

Is there in the other LAN perhaps something likes an enabled DHCP Server that is giving
new IP addresses to servers or other devices that should be sorted more with static IP addresses?