Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC VPN Drops around 40 seconds.

    IPsec
    4
    5
    812
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TomT
      last edited by

      Hi

      We've set up a IPSEC VPN between a pfSense and a Draytek 2860 router.

      The connection establishes and we have been able to ping across the VPN, however after approx 40 seconds the VPN disconnects..

      On other pfSense firewalls we have IPSEC VPN's configured the same as this one and they are working fine with no issues.

      We've no idea why this one drops. The logs show as follows.

      For privacy X.X.X.X is our IP Address & Y.Y.Y.Y is the Draytek

      Jun 26 11:54:30	charon		11[CFG] received stroke: initiate 'con2000'
      Jun 26 11:54:30	charon		14[IKE] <con2000|27> initiating Main Mode IKE_SA con2000[27] to X.X.X.X
      Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating ID_PROT request 0 [ SA V V V V V ]
      Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (180 bytes)
      Jun 26 11:54:30	charon		14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (124 bytes)
      Jun 26 11:54:30	charon		14[ENC] <con2000|27> parsed ID_PROT response 0 [ SA V V ]
      Jun 26 11:54:30	charon		14[IKE] <con2000|27> received DPD vendor ID
      Jun 26 11:54:30	charon		14[IKE] <con2000|27> received NAT-T (RFC 3947) vendor ID
      Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
      Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (244 bytes)
      Jun 26 11:54:30	charon		14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (228 bytes)
      Jun 26 11:54:30	charon		14[ENC] <con2000|27> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
      Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
      Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (108 bytes)
      Jun 26 11:54:30	charon		14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
      Jun 26 11:54:30	charon		14[ENC] <con2000|27> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
      Jun 26 11:54:30	charon		14[IKE] <con2000|27> IKE_SA con2000[27] established between Y.Y.Y.Y[Y.Y.Y.Y]...X.X.X.X[X.X.X.X]
      Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating QUICK_MODE request 2802525773 [ HASH SA No KE ID ID ]
      Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (316 bytes)
      Jun 26 11:54:30	charon		05[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (284 bytes)
      Jun 26 11:54:30	charon		05[ENC] <con2000|27> parsed QUICK_MODE response 2802525773 [ HASH SA No KE ID ID ]
      Jun 26 11:54:30	charon		05[IKE] <con2000|27> received 28800s lifetime, configured 0s
      Jun 26 11:54:30	charon		05[IKE] <con2000|27> CHILD_SA con2000{21} established with SPIs cd528724_i d25fd0ff_o and TS 10.0.40.0/24|/0 === 192.168.9.0/24|/0
      Jun 26 11:54:30	charon		05[ENC] <con2000|27> generating QUICK_MODE request 2802525773 [ HASH ]
      Jun 26 11:54:30	charon		05[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (60 bytes)
      Jun 26 11:54:30	charon		05[JOB] <con1000|24> DPD check timed out, enforcing DPD action
      Jun 26 11:54:41	charon		06[IKE] <con2000|27> sending DPD request
      Jun 26 11:54:41	charon		06[ENC] <con2000|27> generating INFORMATIONAL_V1 request 677304989 [ HASH N(DPD) ]
      Jun 26 11:54:41	charon		06[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
      Jun 26 11:54:41	charon		06[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
      Jun 26 11:54:41	charon		06[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3107884362 [ HASH N(DPD_ACK) ]
      Jun 26 11:54:52	charon		15[IKE] <con2000|27> sending DPD request
      Jun 26 11:54:52	charon		15[ENC] <con2000|27> generating INFORMATIONAL_V1 request 2696916538 [ HASH N(DPD) ]
      Jun 26 11:54:52	charon		15[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
      Jun 26 11:54:52	charon		15[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
      Jun 26 11:54:52	charon		15[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3479537267 [ HASH N(DPD_ACK) ]
      Jun 26 11:55:02	charon		13[IKE] <con2000|27> sending DPD request
      Jun 26 11:55:02	charon		13[ENC] <con2000|27> generating INFORMATIONAL_V1 request 3095528711 [ HASH N(DPD) ]
      Jun 26 11:55:02	charon		13[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
      Jun 26 11:55:02	charon		13[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
      Jun 26 11:55:02	charon		13[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3634033780 [ HASH N(DPD_ACK) ]
      Jun 26 11:55:12	charon		10[IKE] <con2000|27> sending DPD request
      Jun 26 11:55:12	charon		10[ENC] <con2000|27> generating INFORMATIONAL_V1 request 232827829 [ HASH N(DPD) ]
      Jun 26 11:55:12	charon		10[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
      Jun 26 11:55:12	charon		10[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
      Jun 26 11:55:12	charon		10[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 4109418882 [ HASH N(DPD_ACK) ]
      Jun 26 11:55:15	charon		10[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
      Jun 26 11:55:15	charon		10[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3176547172 [ HASH D ]
      Jun 26 11:55:15	charon		10[IKE] <con2000|27> received DELETE for IKE_SA con2000[27]
      Jun 26 11:55:15	charon		10[IKE] <con2000|27> deleting IKE_SA con2000[27] between Y.Y.Y.Y[Y.Y.Y.Y]...X.X.X.X[X.X.X.X]
      

      Anyone any ideas what causing this and how we can resolve it ?

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @tomt said in IPSEC VPN Drops around 40 seconds.:

        Jun 26 11:55:15 charon 10[IKE] <con2000|27> received DELETE for IKE_SA con2000[27]

        The other side is deleting the tunnel. You probably need to look at the logs there to see what it doesn't like. pfSense is just doing as it has been told.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • G
          gerdesj
          last edited by

          On the Draytek, disable ping to keep alive if it is enabled ...

          1 Reply Last reply Reply Quote 0
          • T
            TomT
            last edited by

            Thanks for the replies.
            This is still happening and ping from the draytek is disabled.

            Stuck as to why..

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              What do the logs on the Draytek say?

              pfSense can't tell you why the Draytek sent the delete command, only the Draytek can.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.