Cannot re-initialize traffic on IPSEC from both endpoints



  • This has been driving me crazy. I've been digging through the forums but I can't seem to find a solution.

    I have an IPSEC tunnel configured between Site A and Site B that works perfectly. The tunnel stays connected and traffic stops routing when the tunnel is idle. When any traffic attempts to cross the tunnel from either end it starts routing again automatically.

    I've established a new connection between Site A and Site C and have configured the tunnel identically apart from peer names and the PSK. For some reason, this tunnel also stays connected but when it stops routing traffic after being idle for a few minutes, the traffic can only be re-initiated from Site C. I have DPD enabled at both ends and both Phase 2's are configured to ping something on the other end. I have a monitoring system at Site A that pings a host at Site C but only every 15 minutes, which isn't enough to keep the traffic flowing. If I set up a ping at Site C back to Site A then it will stay up, but that seems unnecessary given that everything works perfectly with the tunnel between Site A and Site B. Has anyone got any ideas on what I'm missing?

    SITE A ipsec.conf
    conn bypasslan
            leftsubnet = 10.252.252.0/24
            rightsubnet = 10.252.252.0/24
            authby = never
            type = passthrough
            auto = route

    conn con1003
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes

    conn con1003
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            forceencaps = no
            mobike = no

    rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = XXX.XXX.XXX.XXX
            right = XXX.XXX.XXX.XXX
            leftid = fqdn:xxxx.xxxx.xx
            ikelifetime = 28800s
            lifetime = 3600s
            ike = 3des-sha1-modp1024!
            esp = 3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = XXX.XXX.XXX.XXX
            aggressive = no
            rightsubnet = 192.168.168.0/23
            leftsubnet = 10.252.252.25/32

    conn con2000
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            forceencaps = no
            mobike = no

    rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = XXX.XXX.XXX.XXX
            right = xxxxxx.xxxxxxxxx.xxx
            leftid = fqdn:xxxx.xxxxxxxxxxx.xxx
            ikelifetime = 28800s
            lifetime = 3600s
            ike = 3des-sha1-modp1024!
            esp = 3des-md5-modp1024,3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = fqdn:xxxxxxx.xxxxxxxxx.xx
            aggressive = no
            rightsubnet = 10.15.47.0/24
            leftsubnet = 10.252.252.0/24

    SITE C ipsec.conf
    config setup
            uniqueids = yes
            charondebug=""

    conn con1000
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            forceencaps = no
            mobike = no
            rekey = yes
            installpolicy = yes
            type = tunnel
            dpdaction = restart
            dpddelay = 10s
            dpdtimeout = 60s
            auto = route
            left = XXX.XXX.XXX.XXX
            right = xxxx.xxxxxxxxxxxx.xxx
            leftid = fqdn:xxxxxxx.xxxxxxxxx.xxx
            ikelifetime = 28800s
            lifetime = 3600s
            ike = 3des-sha1-modp1024!
            esp = 3des-md5-modp1024,3des-sha1-modp1024!
            leftauth = psk
            rightauth = psk
            rightid = fqdn:xxxx.xxxxxxxxxxxx.xxx
            aggressive = no
            rightsubnet = 10.252.252.0/24
            leftsubnet = 10.15.47.0/24



  • Well this is sort of interesting.

    I didn't really need my full subnet at SITE A available to SITE C so I trimmed it down so that SITE C now has access to the same 6 IP's that SITE B has access to.

    Once I did that traffic routed for greater periods of time before disconnecting. Strangely, for the first day pinging SITE C from a Linux server at SITE A would allow a reconnect but it took 40-50 pings. Running a ping from one of my Win10 laptops would not allow a reconnect. I don't really think that's relevant, merely interesting. As before, when the traffic stops flowing, the tunnel shows as being still connected from both ends but pinging something on SITE C's LAN from SITE A fails. Pinging something at SITE A from SITE C results in a near immediate re-establishing of traffic. As one might expect, leaving a ping running between sites keeps everything working, but that feels more like a kludge than a solution.

    I'm really stumped. SITE A has a 25MB Cable connection, SITE B and SITE C both have 50MB duplex fiber connections from the same provider. I have two more sites to connect to SITE C. SITE D is a rural location with a barely functioning DSL but it has an IPSEC tunnel between it's Cisco and a separate Cisco at SITE C that has been completely trouble free for years. It will be upgraded to a pfSense appliance shortly and the tunnel re-established. SITE E has a cable line and a Cisco so I'm eager to see if I get a different result.


Log in to reply