Site-to-site connection is broken after a couple of days
-
hi, I have a little problem. I am using the latest stable version with two apu boards. The vpn connection was running the last weekts. 2 times it was broken. After I rebooted site a firewall everything was up. Now its the same. Till today the vpn connection isn
t running and I don
t know why. Nothing was changed. I have rebooted both sites. If I look at the ipsec status I have "connecting" as status.Site B Log:
Sep 16 13:09:51 charon 01[ENC] <348> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:09:51 charon 01[IKE] <348> received retransmit of request with ID 0, retransmitting response Sep 16 13:09:51 charon 01[NET] <348> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:09:57 charon 01[JOB] <348> deleting half open IKE_SA after timeout Sep 16 13:10:14 charon 01[NET] <349> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes) Sep 16 13:10:14 charon 01[ENC] <349> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:10:14 charon 01[IKE] <349> 213.200.229.167 is initiating an IKE_SA Sep 16 13:10:14 charon 01[IKE] <349> local host is behind NAT, sending keep alives Sep 16 13:10:14 charon 01[IKE] <349> remote host is behind NAT Sep 16 13:10:14 charon 01[ENC] <349> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Sep 16 13:10:14 charon 01[NET] <349> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:10:34 charon 01[IKE] <349> sending keep alive to 213.200.229.167[500] Sep 16 13:10:45 charon 01[JOB] <349> deleting half open IKE_SA after timeout Sep 16 13:10:56 charon 01[NET] <350> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes) Sep 16 13:10:56 charon 01[ENC] <350> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:10:56 charon 01[IKE] <350> 213.200.229.167 is initiating an IKE_SA Sep 16 13:10:56 charon 01[IKE] <350> local host is behind NAT, sending keep alives Sep 16 13:10:56 charon 01[IKE] <350> remote host is behind NAT Sep 16 13:10:56 charon 01[ENC] <350> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Sep 16 13:10:56 charon 01[NET] <350> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:11:16 charon 01[IKE] <350> sending keep alive to 213.200.229.167[500] Sep 16 13:11:26 charon 12[JOB] <350> deleting half open IKE_SA after timeout Sep 16 13:12:12 charon 12[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes) Sep 16 13:12:12 charon 12[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:12:12 charon 12[IKE] <351> 213.200.229.167 is initiating an IKE_SA Sep 16 13:12:12 charon 12[IKE] <351> local host is behind NAT, sending keep alives Sep 16 13:12:12 charon 12[IKE] <351> remote host is behind NAT Sep 16 13:12:12 charon 12[ENC] <351> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ] Sep 16 13:12:12 charon 12[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:12:16 charon 12[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes) Sep 16 13:12:16 charon 12[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:12:16 charon 12[IKE] <351> received retransmit of request with ID 0, retransmitting response Sep 16 13:12:16 charon 12[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:12:19 charon 08[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.167/32|/0 with reqid {1} Sep 16 13:12:19 charon 14[IKE] <con1|352>initiating IKE_SA con1[352] to 213.200.229.167 Sep 16 13:12:19 charon 14[ENC] <con1|352>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:12:19 charon 14[NET] <con1|352>sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:12:23 charon 14[IKE] <con1|352>retransmit 1 of request with message ID 0 Sep 16 13:12:23 charon 14[NET] <con1|352>sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:12:23 charon 14[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes) Sep 16 13:12:23 charon 14[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:12:23 charon 14[IKE] <351> received retransmit of request with ID 0, retransmitting response Sep 16 13:12:23 charon 14[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:12:30 charon 14[IKE] <con1|352>retransmit 2 of request with message ID 0 Sep 16 13:12:30 charon 14[NET] <con1|352>sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes) Sep 16 13:12:32 charon 14[IKE] <351> sending keep alive to 213.200.229.167[500] Sep 16 13:12:36 charon 11[NET] <351> received packet: from 213.200.229.167[500] to 172.31.255.6[500] (464 bytes) Sep 16 13:12:36 charon 11[ENC] <351> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:12:36 charon 11[IKE] <351> received retransmit of request with ID 0, retransmitting response Sep 16 13:12:36 charon 11[NET] <351> sending packet: from 172.31.255.6[500] to 213.200.229.167[500] (464 bytes)</con1|352></con1|352></con1|352></con1|352></con1|352></con1|352></con1|352>
Site a log:
Sep 16 13:09:27 charon 09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:09:31 charon 09[IKE] <con1|48>retransmit 1 of request with message ID 0 Sep 16 13:09:31 charon 09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:09:36 charon 09[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:09:36 charon 03[CFG] ignoring acquire, connection attempt pending Sep 16 13:09:38 charon 03[IKE] <con1|48>retransmit 2 of request with message ID 0 Sep 16 13:09:38 charon 03[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:09:51 charon 03[IKE] <con1|48>retransmit 3 of request with message ID 0 Sep 16 13:09:51 charon 03[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:10:01 charon 03[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:10:01 charon 09[CFG] ignoring acquire, connection attempt pending Sep 16 13:10:14 charon 09[IKE] <con1|48>retransmit 4 of request with message ID 0 Sep 16 13:10:14 charon 09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:10:26 charon 09[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:10:26 charon 07[CFG] ignoring acquire, connection attempt pending Sep 16 13:10:51 charon 07[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:10:51 charon 09[CFG] ignoring acquire, connection attempt pending Sep 16 13:10:56 charon 09[IKE] <con1|48>retransmit 5 of request with message ID 0 Sep 16 13:10:56 charon 09[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:11:16 charon 09[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:11:16 charon 07[CFG] ignoring acquire, connection attempt pending Sep 16 13:11:41 charon 07[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:11:41 charon 05[CFG] ignoring acquire, connection attempt pending Sep 16 13:12:06 charon 05[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:12:06 charon 07[CFG] ignoring acquire, connection attempt pending Sep 16 13:12:12 charon 07[IKE] <con1|48>giving up after 5 retransmits Sep 16 13:12:12 charon 07[IKE] <con1|48>peer not responding, trying again (3/3) Sep 16 13:12:12 charon 07[IKE] <con1|48>initiating IKE_SA con1[48] to 213.200.229.244 Sep 16 13:12:12 charon 07[ENC] <con1|48>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Sep 16 13:12:12 charon 07[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:12:16 charon 07[IKE] <con1|48>retransmit 1 of request with message ID 0 Sep 16 13:12:16 charon 07[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:12:23 charon 07[IKE] <con1|48>retransmit 2 of request with message ID 0 Sep 16 13:12:23 charon 07[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:12:31 charon 07[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:12:31 charon 14[CFG] ignoring acquire, connection attempt pending Sep 16 13:12:36 charon 14[IKE] <con1|48>retransmit 3 of request with message ID 0 Sep 16 13:12:36 charon 14[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:12:56 charon 14[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:12:56 charon 07[CFG] ignoring acquire, connection attempt pending Sep 16 13:12:59 charon 14[IKE] <con1|48>retransmit 4 of request with message ID 0 Sep 16 13:12:59 charon 14[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:13:21 charon 14[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:13:21 charon 13[CFG] ignoring acquire, connection attempt pending Sep 16 13:13:41 charon 13[IKE] <con1|48>retransmit 5 of request with message ID 0 Sep 16 13:13:41 charon 13[NET] <con1|48>sending packet: from 172.31.255.6[500] to 213.200.229.244[500] (464 bytes) Sep 16 13:13:46 charon 13[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:13:46 charon 14[CFG] ignoring acquire, connection attempt pending Sep 16 13:14:11 charon 14[KNL] creating acquire job for policy 172.31.255.6/32|/0 === 213.200.229.244/32|/0 with reqid {1} Sep 16 13:14:11 charon 13[CFG] ignoring acquire, connection attempt pending</con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48></con1|48>
Any ideas? I don`t know how to fix this.
-
Sounds like something is interfering with the traffic between the sites. Usually that's an indication that traffic is not getting through in one direction.
Check the state tables and run some packet captures on the WAN looking at traffic while the tunnel is attempting to establish.
Also, set your logs as described on the wiki, which should provide much more useful information: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29