Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AWS IPSEC VPN with BGP, both need to be restarted every 24 hours.

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BEB Consulting
      last edited by

      AWS IPSEC VPN with BGP, both need to be restarted every 24 hours to bring VPNs back on-line.

      We have 2 AWS IPSEC VPNs with BGP enabled, these connect two of our offices via Pfsense 2.3.4.

      Every 24 hours we have to restart both BGP and IPSEC. Because the two Phase 2 IPSEC tunnels drop. However the Phase 1IKE tunnels stay up.

      Disconnecting the IKE and Reconnecting the IKE tunnels does not reestablish the VPN nor the BGP links. Only by shutting down BGP and IPSEC then restarting the BGP and IPSEC service does the tunnels restablish and so does the BGP links.

      WE have keep alive pings going both from the Pfsense Customer Gateway to AWS Virtual Private Gateway via the BGP IPSEC tunnel as well to from Server on the AWS side to a Server on the Pfense side and a ping from the Pfsense side to the AWS site though the LAN IPSEC tunnel. These LAN side ping stay working up until the P2 tunnels drop.

      We also confirmed there is various server traffic passing through the LAN IPSEC tunnel from AWS to behind the Pfsense route and back up until the tunnels drop.

      We have rules on the IPSEC portion and LAN portion of the firewall to allow all/any network traffic as well as a specific rule to allow ICMP via both LAN and IPSEC.

      We are looking at opening a AWS support case on this (we are aware of AWS not directly support Pfsense IPSEC VPNs, however we are hoping we can convince them to look more at their side of the links and what we are attached to those links, to make sure that the P2 drops are not on the AWS end.)

      Has anyone else run into this? Has anyone found a solution? The keep alive pings appear to have NO impact on keeping up the P2 tunnels. However the P1 tunnel does not go down at all until we restart services.

      We do not want to have to look into Cisco ASAs again as this is what we moved away from.

      1 Reply Last reply Reply Quote 0
      • B
        BEB Consulting
        last edited by

        Anyone?

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Probably this:

          https://redmine.pfsense.org/issues/6223

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B
            BEB Consulting
            last edited by

            This link does not help me.

            No instructions on how to install the patch (File charon-pfkey-event-buffer.patchMagnifier or File charon-pfkey-event-buffer.patchMagnifier)

            No instructions on how to use the scripts (File ipsecmon.sh)

            So it looks like my only real option at this point is to install the Cron package, and build a script to shutdown BGP & IPSEC service every 24 hours and restart BGP and IPSEC after 5 minute wait period.

            1 Reply Last reply Reply Quote 0
            • O
              obroni
              last edited by

              I submitted a patch for the Quagga OSPF package which lets you use the BGP component. There's no GUI for it, but you can enter config in the raw config tab. I'm using Quagga and IPSEC together and its stable.

              1 Reply Last reply Reply Quote 0
              • B
                BEB Consulting
                last edited by

                Ok, but I seem to not be able to have QuaggaOSPF and OpenBGP installed, and I am not able to tear down our OpenBGP configuration and move to Quagga without taking serious down time.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.