IPSec Tunnel down all of a sudden with no changes. Can access both ends.
-
So with no changes to my IPSec tunnel config (hasn't changed since I set it up months ago), it is showing as down today. My IPSec logs are showing the following:
Aug 9 10:12:29 charon 09[IKE] <con1|12> IKE_SA con1[12] state change: CONNECTING => DESTROYING Aug 9 10:12:29 charon 09[CHD] <con1|12> CHILD_SA con1{9} state change: CREATED => DESTROYING Aug 9 10:12:29 charon 09[IKE] <con1|12> received AUTHENTICATION_FAILED notify error Aug 9 10:12:29 charon 09[ENC] <con1|12> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] Aug 9 10:12:29 charon 09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] toSITE1_WAN_IP[500] (65 bytes) Aug 9 10:12:29 charon 09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (309 bytes) Aug 9 10:12:29 charon 09[ENC] <con1|12> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Aug 9 10:12:29 charon 09[IKE] <con1|12> establishing CHILD_SA con1{9} reqid 2 Aug 9 10:12:29 charon 09[CFG] <con1|12> configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ Aug 9 10:12:29 charon 09[CFG] <con1|12> 192.168.2.0/24|/0 Aug 9 10:12:29 charon 09[CFG] <con1|12> proposing traffic selectors for other: Aug 9 10:12:29 charon 09[CFG] <con1|12> 10.0.10.0/24|/0 Aug 9 10:12:29 charon 09[CFG] <con1|12> proposing traffic selectors for us: Aug 9 10:12:29 charon 09[IKE] <con1|12> successfully created shared key MAC Aug 9 10:12:29 charon 09[IKE] <con1|12> authentication of 'SITE1_WAN_IP' (myself) with pre-shared key Aug 9 10:12:29 charon 09[IKE] <con1|12> IKE_AUTH task Aug 9 10:12:29 charon 09[IKE] <con1|12> IKE_CERT_PRE task Aug 9 10:12:29 charon 09[IKE] <con1|12> reinitiating already active tasks Aug 9 10:12:29 charon 09[CFG] <con1|12> received supported signature hash algorithms: sha256 sha384 sha512 identity Aug 9 10:12:29 charon 09[CFG] <con1|12> selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 9 10:12:29 charon 09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 9 10:12:29 charon 09[CFG] <con1|12> received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 9 10:12:29 charon 09[CFG] <con1|12> proposal matches Aug 9 10:12:29 charon 09[CFG] <con1|12> selecting proposal: Aug 9 10:12:29 charon 09[IKE] <con1|12> received SIGNATURE_HASH_ALGORITHMS notify Aug 9 10:12:29 charon 09[IKE] <con1|12> received FRAGMENTATION_SUPPORTED notify Aug 9 10:12:29 charon 09[ENC] <con1|12> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Aug 9 10:12:29 charon 09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] to SITE1_WAN_IP[500] (456 bytes) Aug 9 10:12:28 charon 09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (456 bytes) Aug 9 10:12:28 charon 09[ENC] <con1|12> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Aug 9 10:12:28 charon 09[CFG] <con1|12> sending supported signature hash algorithms: sha256 sha384 sha512 identity Aug 9 10:12:28 charon 09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048 Aug 9 10:12:28 charon 09[IKE] <con1|12> IKE_SA con1[12] state change: CREATED => CONNECTING Aug 9 10:12:28 charon 09[IKE] <con1|12> initiating IKE_SA con1[12] to SITE2_WAN_IP Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_AUTH_LIFETIME task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating CHILD_CREATE task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_CONFIG task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_CERT_POST task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_AUTH task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_CERT_PRE task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_NATD task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_INIT task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating IKE_VENDOR task Aug 9 10:12:28 charon 09[IKE] <con1|12> activating new tasks Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing CHILD_CREATE task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_AUTH_LIFETIME task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_CONFIG task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_CERT_POST task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_AUTH task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_CERT_PRE task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_NATD task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_INIT task Aug 9 10:12:28 charon 09[IKE] <con1|12> queueing IKE_VENDOR task Aug 9 10:12:28 charon 09[KNL] creating acquire job for policy SITE1_WAN_IP/32|/0 === SITE2_WAN_IP/32|/0 with reqid {2}
WAN is up on both ends, I can access via Teamviewer. Not sure where to start here since nothing has changed.
-
So turns out that the SITE1 IP address changed last night. Even though I'm using Dynamic DNS on both ends and both ends recognized the change, the tunnel would not reconnect until a reboot which has now fixed the issue. Weird one.