Rekey fails then restarts

doctorray

Hello,

I'm having an issue that my IPsec VPN drops for about two minutes periodically.  I am connected to an AWS VPC, but I'm not convinced that's the reason (I did read some of the howto's for reference).  It is set up with BGP dynamic routing to both tunnel endpoints without issue, except for this rekey problem.  It gives up after a minute and a half, then restarts, and connects successfully, packets start flowing again.  Here are the relevant log lines:

14:05:11 charon: 10[KNL] creating rekey job for ESP CHILD_SA with SPI cb8481b9 and reqid {1}
14:05:11 charon: 10[IKE] <con1|18> establishing CHILD_SA con1{1}
14:05:11 charon: 10[IKE] establishing CHILD_SA con1{1}
14:05:11 charon: 10[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
14:05:11 charon: 10[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (396 bytes)
14:05:15 charon: 10[KNL] creating rekey job for ESP CHILD_SA with SPI 94bbd318 and reqid {1}
14:05:15 charon: 12[IKE] <con1|18> retransmit 1 of request with message ID 2
14:05:15 charon: 12[IKE] retransmit 1 of request with message ID 2
14:05:15 charon: 12[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (396 bytes)
14:05:23 charon: 12[IKE] <con1|18> retransmit 2 of request with message ID 2
14:05:23 charon: 12[IKE] retransmit 2 of request with message ID 2
14:05:23 charon: 12[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (396 bytes)
14:05:35 charon: 10[IKE] <con1|18> retransmit 3 of request with message ID 2
14:05:35 charon: 10[IKE] retransmit 3 of request with message ID 2
14:05:35 charon: 10[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (396 bytes)
14:05:59 charon: 10[IKE] <con1|18> retransmit 4 of request with message ID 2
14:05:59 charon: 10[IKE] retransmit 4 of request with message ID 2
14:05:59 charon: 10[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (396 bytes)
14:06:41 charon: 10[IKE] <con1|18> retransmit 5 of request with message ID 2
14:06:41 charon: 10[IKE] retransmit 5 of request with message ID 2
14:06:41 charon: 10[NET] sending packet: from xx.xx.xx.xx[500] to yy.yy.yy.yy[500] (396 bytes)
14:07:57 charon: 06[IKE] <con1|18> giving up after 5 retransmits
14:07:57 charon: 06[IKE] giving up after 5 retransmits
14:07:57 charon: 06[IKE] <con1|18> restarting CHILD_SA con1
14:07:57 charon: 06[IKE] restarting CHILD_SA con1</con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18></con1|18>

xx.xx.xx.xx is my IP, yy.yy.yy.yy is the AWS IP.  Afterwards it continues to reconnect, and maintains for a little while without issue.  Then, maybe 45 minutes later, the whole process will repeat.

I appreciate any thoughts anyone has regarding keeping the connection stable.  I'm in VMWare ESXi 5.1 update 1 with pfSense v2.2 right now but have ordered two of the netgate 1u supermicro boxes and plan on transitioning to that hardware in a couple of weeks.  Thanks,

Ray

eri--

This seems like a routing issue to me.

doctorray

What do you mean, a routing issue?  The tunnel works 98% of the time, then will drop out for two minutes.  All the networks are reachable from where they expect to be reachable from.  Thanks for your response, I'd like to look into it more if it's actually a potential cause.