Cannot re-initialize traffic on IPSEC from both endpoints

Cyber-Wizard

This has been driving me crazy. I've been digging through the forums but I can't seem to find a solution.

I have an IPSEC tunnel configured between Site A and Site B that works perfectly. The tunnel stays connected and traffic stops routing when the tunnel is idle. When any traffic attempts to cross the tunnel from either end it starts routing again automatically.

I've established a new connection between Site A and Site C and have configured the tunnel identically apart from peer names and the PSK. For some reason, this tunnel also stays connected but when it stops routing traffic after being idle for a few minutes, the traffic can only be re-initiated from Site C. I have DPD enabled at both ends and both Phase 2's are configured to ping something on the other end. I have a monitoring system at Site A that pings a host at Site C but only every 15 minutes, which isn't enough to keep the traffic flowing. If I set up a ping at Site C back to Site A then it will stay up, but that seems unnecessary given that everything works perfectly with the tunnel between Site A and Site B. Has anyone got any ideas on what I'm missing?

SITE A ipsec.conf
conn bypasslan
        leftsubnet = 10.252.252.0/24
        rightsubnet = 10.252.252.0/24
        authby = never
        type = passthrough
        auto = route

conn con1003
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes

conn con1003
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no

rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = XXX.XXX.XXX.XXX
        right = XXX.XXX.XXX.XXX
        leftid = fqdn:xxxx.xxxx.xx
        ikelifetime = 28800s
        lifetime = 3600s
        ike = 3des-sha1-modp1024!
        esp = 3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = XXX.XXX.XXX.XXX
        aggressive = no
        rightsubnet = 192.168.168.0/23
        leftsubnet = 10.252.252.25/32

conn con2000
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no

rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = XXX.XXX.XXX.XXX
        right = xxxxxx.xxxxxxxxx.xxx
        leftid = fqdn:xxxx.xxxxxxxxxxx.xxx
        ikelifetime = 28800s
        lifetime = 3600s
        ike = 3des-sha1-modp1024!
        esp = 3des-md5-modp1024,3des-sha1-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = fqdn:xxxxxxx.xxxxxxxxx.xx
        aggressive = no
        rightsubnet = 10.15.47.0/24
        leftsubnet = 10.252.252.0/24

SITE C ipsec.conf
config setup
        uniqueids = yes
        charondebug=""

conn con1000
        fragmentation = yes
        keyexchange = ikev1
        reauth = yes
        forceencaps = no
        mobike = no
        rekey = yes
        installpolicy = yes
        type = tunnel
        dpdaction = restart
        dpddelay = 10s
        dpdtimeout = 60s
        auto = route
        left = XXX.XXX.XXX.XXX
        right = xxxx.xxxxxxxxxxxx.xxx
        leftid = fqdn:xxxxxxx.xxxxxxxxx.xxx
        ikelifetime = 28800s
        lifetime = 3600s
        ike = 3des-sha1-modp1024!
        esp = 3des-md5-modp1024,3des-sha1-modp1024!
        leftauth = psk
        rightauth = psk
        rightid = fqdn:xxxx.xxxxxxxxxxxx.xxx
        aggressive = no
        rightsubnet = 10.252.252.0/24
        leftsubnet = 10.15.47.0/24

Cyber-Wizard

Well this is sort of interesting.

I didn't really need my full subnet at SITE A available to SITE C so I trimmed it down so that SITE C now has access to the same 6 IP's that SITE B has access to.

Once I did that traffic routed for greater periods of time before disconnecting. Strangely, for the first day pinging SITE C from a Linux server at SITE A would allow a reconnect but it took 40-50 pings. Running a ping from one of my Win10 laptops would not allow a reconnect. I don't really think that's relevant, merely interesting. As before, when the traffic stops flowing, the tunnel shows as being still connected from both ends but pinging something on SITE C's LAN from SITE A fails. Pinging something at SITE A from SITE C results in a near immediate re-establishing of traffic. As one might expect, leaving a ping running between sites keeps everything working, but that feels more like a kludge than a solution.

I'm really stumped. SITE A has a 25MB Cable connection, SITE B and SITE C both have 50MB duplex fiber connections from the same provider. I have two more sites to connect to SITE C. SITE D is a rural location with a barely functioning DSL but it has an IPSEC tunnel between it's Cisco and a separate Cisco at SITE C that has been completely trouble free for years. It will be upgraded to a pfSense appliance shortly and the tunnel re-established. SITE E has a cable line and a Cisco so I'm eager to see if I get a different result.