IPSEC VPN Drops around 40 seconds.

TomT

Hi

We've set up a IPSEC VPN between a pfSense and a Draytek 2860 router.

The connection establishes and we have been able to ping across the VPN, however after approx 40 seconds the VPN disconnects..

On other pfSense firewalls we have IPSEC VPN's configured the same as this one and they are working fine with no issues.

We've no idea why this one drops. The logs show as follows.

For privacy X.X.X.X is our IP Address & Y.Y.Y.Y is the Draytek

Jun 26 11:54:30	charon		11[CFG] received stroke: initiate 'con2000'
Jun 26 11:54:30	charon		14[IKE] <con2000|27> initiating Main Mode IKE_SA con2000[27] to X.X.X.X
Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating ID_PROT request 0 [ SA V V V V V ]
Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (180 bytes)
Jun 26 11:54:30	charon		14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (124 bytes)
Jun 26 11:54:30	charon		14[ENC] <con2000|27> parsed ID_PROT response 0 [ SA V V ]
Jun 26 11:54:30	charon		14[IKE] <con2000|27> received DPD vendor ID
Jun 26 11:54:30	charon		14[IKE] <con2000|27> received NAT-T (RFC 3947) vendor ID
Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (244 bytes)
Jun 26 11:54:30	charon		14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (228 bytes)
Jun 26 11:54:30	charon		14[ENC] <con2000|27> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (108 bytes)
Jun 26 11:54:30	charon		14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
Jun 26 11:54:30	charon		14[ENC] <con2000|27> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ]
Jun 26 11:54:30	charon		14[IKE] <con2000|27> IKE_SA con2000[27] established between Y.Y.Y.Y[Y.Y.Y.Y]...X.X.X.X[X.X.X.X]
Jun 26 11:54:30	charon		14[ENC] <con2000|27> generating QUICK_MODE request 2802525773 [ HASH SA No KE ID ID ]
Jun 26 11:54:30	charon		14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (316 bytes)
Jun 26 11:54:30	charon		05[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (284 bytes)
Jun 26 11:54:30	charon		05[ENC] <con2000|27> parsed QUICK_MODE response 2802525773 [ HASH SA No KE ID ID ]
Jun 26 11:54:30	charon		05[IKE] <con2000|27> received 28800s lifetime, configured 0s
Jun 26 11:54:30	charon		05[IKE] <con2000|27> CHILD_SA con2000{21} established with SPIs cd528724_i d25fd0ff_o and TS 10.0.40.0/24|/0 === 192.168.9.0/24|/0
Jun 26 11:54:30	charon		05[ENC] <con2000|27> generating QUICK_MODE request 2802525773 [ HASH ]
Jun 26 11:54:30	charon		05[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (60 bytes)
Jun 26 11:54:30	charon		05[JOB] <con1000|24> DPD check timed out, enforcing DPD action
Jun 26 11:54:41	charon		06[IKE] <con2000|27> sending DPD request
Jun 26 11:54:41	charon		06[ENC] <con2000|27> generating INFORMATIONAL_V1 request 677304989 [ HASH N(DPD) ]
Jun 26 11:54:41	charon		06[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
Jun 26 11:54:41	charon		06[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
Jun 26 11:54:41	charon		06[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3107884362 [ HASH N(DPD_ACK) ]
Jun 26 11:54:52	charon		15[IKE] <con2000|27> sending DPD request
Jun 26 11:54:52	charon		15[ENC] <con2000|27> generating INFORMATIONAL_V1 request 2696916538 [ HASH N(DPD) ]
Jun 26 11:54:52	charon		15[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
Jun 26 11:54:52	charon		15[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
Jun 26 11:54:52	charon		15[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3479537267 [ HASH N(DPD_ACK) ]
Jun 26 11:55:02	charon		13[IKE] <con2000|27> sending DPD request
Jun 26 11:55:02	charon		13[ENC] <con2000|27> generating INFORMATIONAL_V1 request 3095528711 [ HASH N(DPD) ]
Jun 26 11:55:02	charon		13[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
Jun 26 11:55:02	charon		13[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
Jun 26 11:55:02	charon		13[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3634033780 [ HASH N(DPD_ACK) ]
Jun 26 11:55:12	charon		10[IKE] <con2000|27> sending DPD request
Jun 26 11:55:12	charon		10[ENC] <con2000|27> generating INFORMATIONAL_V1 request 232827829 [ HASH N(DPD) ]
Jun 26 11:55:12	charon		10[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes)
Jun 26 11:55:12	charon		10[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
Jun 26 11:55:12	charon		10[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 4109418882 [ HASH N(DPD_ACK) ]
Jun 26 11:55:15	charon		10[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes)
Jun 26 11:55:15	charon		10[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3176547172 [ HASH D ]
Jun 26 11:55:15	charon		10[IKE] <con2000|27> received DELETE for IKE_SA con2000[27]
Jun 26 11:55:15	charon		10[IKE] <con2000|27> deleting IKE_SA con2000[27] between Y.Y.Y.Y[Y.Y.Y.Y]...X.X.X.X[X.X.X.X]

Anyone any ideas what causing this and how we can resolve it ?

Thanks

Derelict

@tomt said in IPSEC VPN Drops around 40 seconds.:

Jun 26 11:55:15 charon 10[IKE] <con2000|27> received DELETE for IKE_SA con2000[27]

The other side is deleting the tunnel. You probably need to look at the logs there to see what it doesn't like. pfSense is just doing as it has been told.

gerdesj

On the Draytek, disable ping to keep alive if it is enabled ...

TomT

Thanks for the replies.
This is still happening and ping from the draytek is disabled.

Stuck as to why..

jimp

What do the logs on the Draytek say?

pfSense can't tell you why the Draytek sent the delete command, only the Draytek can.