Auto reconnect after failure possible?
-
We recently deployed 2 identical pfSense routers at both sites. I configured an IPSec connection between the two that has been rock solid.
However, if the connection goes out at either side, I always have to manually reconnect. This sometimes happens if there is a power or internet outage. We would like for this to automatically reconnect.
I have DPD enabled, and I have entered a host to ping on the other side. I was under the impression this would cause it to automatically reconnect when dropped, but it doesn't work.
Any tips?
-
It should automatically reconnect in that case. Is the IP address on either side changing? What do you have to do to "manually" reconnect?
What are your tunnel settings for both sides? (you can leave out anything sensitive such as keys/exact IP addresses)
-
- Both sides have a static IP, so that isn't changing.
- By manually reconnect, I mean go to Status -> IPsec and click on the green button that says "Connect." (When the VPN is up it is red and says "Disconnect")
- As I wrote down the settings, I realized I have "Responder only" checked. I have a feeling that is the issue, so I'll uncheck that and test, unless you see any other issues in the configuration.
# Phase 1
General
- Key Exchange version - V2
- IPV4
- Int: WAN
- Remote Gateway: static IP of other site
Phase 1 - Auth
- Auth Method: Mutual PSK
- My Id: My IP Address
- Peer Id: Peer IP Address
- Pre-Shared Key: same key on both sides
Phase 1 - Algorithms
- Encryption Algorithm: AES256-GCM - 128 bits
- Hash Algorithm: SHA512
- DH Group: 24(2048(sub 256) bit)
- Lifetime: 86400
Advanced Options
- Disable rekey: unchecked
- Disable Reauth: unchecked
- Responder Only: checked
- MOBIKE: Disable
- Split Connections: unchecked
- DPD: checked
- Delay: 10
- Max failures: 10
Phase 2
General
- Mode: Tunnel IPv4
- Local Network: ~~
- NAT/BINAT translation: None
- Remote Network: ~~
## Phase 2
- Protocol: ESP
- Encryption Algorithms: AES256-GCM - 128bits
- Hash Algorithms: SHA512
- PFS key group: 16(4096 bit)
- Lifetime: 3600
Advanced Configuration
- Automatically ping host:
-
"Responder only" would do exactly as you described – When the VPN times out or the keys expire, it will not automatically establish again. Unset that on both sides.
