AWS IPSEC VPN with BGP, both need to be restarted every 24 hours.



  • AWS IPSEC VPN with BGP, both need to be restarted every 24 hours to bring VPNs back on-line.

    We have 2 AWS IPSEC VPNs with BGP enabled, these connect two of our offices via Pfsense 2.3.4.

    Every 24 hours we have to restart both BGP and IPSEC. Because the two Phase 2 IPSEC tunnels drop. However the Phase 1IKE tunnels stay up.

    Disconnecting the IKE and Reconnecting the IKE tunnels does not reestablish the VPN nor the BGP links. Only by shutting down BGP and IPSEC then restarting the BGP and IPSEC service does the tunnels restablish and so does the BGP links.

    WE have keep alive pings going both from the Pfsense Customer Gateway to AWS Virtual Private Gateway via the BGP IPSEC tunnel as well to from Server on the AWS side to a Server on the Pfense side and a ping from the Pfsense side to the AWS site though the LAN IPSEC tunnel. These LAN side ping stay working up until the P2 tunnels drop.

    We also confirmed there is various server traffic passing through the LAN IPSEC tunnel from AWS to behind the Pfsense route and back up until the tunnels drop.

    We have rules on the IPSEC portion and LAN portion of the firewall to allow all/any network traffic as well as a specific rule to allow ICMP via both LAN and IPSEC.

    We are looking at opening a AWS support case on this (we are aware of AWS not directly support Pfsense IPSEC VPNs, however we are hoping we can convince them to look more at their side of the links and what we are attached to those links, to make sure that the P2 drops are not on the AWS end.)

    Has anyone else run into this? Has anyone found a solution? The keep alive pings appear to have NO impact on keeping up the P2 tunnels. However the P1 tunnel does not go down at all until we restart services.

    We do not want to have to look into Cisco ASAs again as this is what we moved away from.



  • Anyone?


  • Netgate



  • This link does not help me.

    No instructions on how to install the patch (File charon-pfkey-event-buffer.patchMagnifier or File charon-pfkey-event-buffer.patchMagnifier)

    No instructions on how to use the scripts (File ipsecmon.sh)

    So it looks like my only real option at this point is to install the Cron package, and build a script to shutdown BGP & IPSEC service every 24 hours and restart BGP and IPSEC after 5 minute wait period.



  • I submitted a patch for the Quagga OSPF package which lets you use the BGP component. There's no GUI for it, but you can enter config in the raw config tab. I'm using Quagga and IPSEC together and its stable.



  • Ok, but I seem to not be able to have QuaggaOSPF and OpenBGP installed, and I am not able to tear down our OpenBGP configuration and move to Quagga without taking serious down time.