Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot re-initialize traffic on IPSEC from both endpoints

    IPsec
    1
    2
    917
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Cyber-Wizard
      last edited by

      This has been driving me crazy. I've been digging through the forums but I can't seem to find a solution.

      I have an IPSEC tunnel configured between Site A and Site B that works perfectly. The tunnel stays connected and traffic stops routing when the tunnel is idle. When any traffic attempts to cross the tunnel from either end it starts routing again automatically.

      I've established a new connection between Site A and Site C and have configured the tunnel identically apart from peer names and the PSK. For some reason, this tunnel also stays connected but when it stops routing traffic after being idle for a few minutes, the traffic can only be re-initiated from Site C. I have DPD enabled at both ends and both Phase 2's are configured to ping something on the other end. I have a monitoring system at Site A that pings a host at Site C but only every 15 minutes, which isn't enough to keep the traffic flowing. If I set up a ping at Site C back to Site A then it will stay up, but that seems unnecessary given that everything works perfectly with the tunnel between Site A and Site B. Has anyone got any ideas on what I'm missing?

      SITE A ipsec.conf
      conn bypasslan
              leftsubnet = 10.252.252.0/24
              rightsubnet = 10.252.252.0/24
              authby = never
              type = passthrough
              auto = route

      conn con1003
              fragmentation = yes
              keyexchange = ikev1
              reauth = yes

      conn con1003
              fragmentation = yes
              keyexchange = ikev1
              reauth = yes
              forceencaps = no
              mobike = no

      rekey = yes
              installpolicy = yes
              type = tunnel
              dpdaction = restart
              dpddelay = 10s
              dpdtimeout = 60s
              auto = route
              left = XXX.XXX.XXX.XXX
              right = XXX.XXX.XXX.XXX
              leftid = fqdn:xxxx.xxxx.xx
              ikelifetime = 28800s
              lifetime = 3600s
              ike = 3des-sha1-modp1024!
              esp = 3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
              leftauth = psk
              rightauth = psk
              rightid = XXX.XXX.XXX.XXX
              aggressive = no
              rightsubnet = 192.168.168.0/23
              leftsubnet = 10.252.252.25/32

      conn con2000
              fragmentation = yes
              keyexchange = ikev1
              reauth = yes
              forceencaps = no
              mobike = no

      rekey = yes
              installpolicy = yes
              type = tunnel
              dpdaction = restart
              dpddelay = 10s
              dpdtimeout = 60s
              auto = route
              left = XXX.XXX.XXX.XXX
              right = xxxxxx.xxxxxxxxx.xxx
              leftid = fqdn:xxxx.xxxxxxxxxxx.xxx
              ikelifetime = 28800s
              lifetime = 3600s
              ike = 3des-sha1-modp1024!
              esp = 3des-md5-modp1024,3des-sha1-modp1024!
              leftauth = psk
              rightauth = psk
              rightid = fqdn:xxxxxxx.xxxxxxxxx.xx
              aggressive = no
              rightsubnet = 10.15.47.0/24
              leftsubnet = 10.252.252.0/24

      SITE C ipsec.conf
      config setup
              uniqueids = yes
              charondebug=""

      conn con1000
              fragmentation = yes
              keyexchange = ikev1
              reauth = yes
              forceencaps = no
              mobike = no
              rekey = yes
              installpolicy = yes
              type = tunnel
              dpdaction = restart
              dpddelay = 10s
              dpdtimeout = 60s
              auto = route
              left = XXX.XXX.XXX.XXX
              right = xxxx.xxxxxxxxxxxx.xxx
              leftid = fqdn:xxxxxxx.xxxxxxxxx.xxx
              ikelifetime = 28800s
              lifetime = 3600s
              ike = 3des-sha1-modp1024!
              esp = 3des-md5-modp1024,3des-sha1-modp1024!
              leftauth = psk
              rightauth = psk
              rightid = fqdn:xxxx.xxxxxxxxxxxx.xxx
              aggressive = no
              rightsubnet = 10.252.252.0/24
              leftsubnet = 10.15.47.0/24

      1 Reply Last reply Reply Quote 0
      • C
        Cyber-Wizard
        last edited by

        Well this is sort of interesting.

        I didn't really need my full subnet at SITE A available to SITE C so I trimmed it down so that SITE C now has access to the same 6 IP's that SITE B has access to.

        Once I did that traffic routed for greater periods of time before disconnecting. Strangely, for the first day pinging SITE C from a Linux server at SITE A would allow a reconnect but it took 40-50 pings. Running a ping from one of my Win10 laptops would not allow a reconnect. I don't really think that's relevant, merely interesting. As before, when the traffic stops flowing, the tunnel shows as being still connected from both ends but pinging something on SITE C's LAN from SITE A fails. Pinging something at SITE A from SITE C results in a near immediate re-establishing of traffic. As one might expect, leaving a ping running between sites keeps everything working, but that feels more like a kludge than a solution.

        I'm really stumped. SITE A has a 25MB Cable connection, SITE B and SITE C both have 50MB duplex fiber connections from the same provider. I have two more sites to connect to SITE C. SITE D is a rural location with a barely functioning DSL but it has an IPSEC tunnel between it's Cisco and a separate Cisco at SITE C that has been completely trouble free for years. It will be upgraded to a pfSense appliance shortly and the tunnel re-established. SITE E has a cable line and a Cisco so I'm eager to see if I get a different result.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.