IPSEC VPN Drops around 40 seconds.
-
Hi
We've set up a IPSEC VPN between a pfSense and a Draytek 2860 router.
The connection establishes and we have been able to ping across the VPN, however after approx 40 seconds the VPN disconnects..
On other pfSense firewalls we have IPSEC VPN's configured the same as this one and they are working fine with no issues.
We've no idea why this one drops. The logs show as follows.
For privacy X.X.X.X is our IP Address & Y.Y.Y.Y is the Draytek
Jun 26 11:54:30 charon 11[CFG] received stroke: initiate 'con2000' Jun 26 11:54:30 charon 14[IKE] <con2000|27> initiating Main Mode IKE_SA con2000[27] to X.X.X.X Jun 26 11:54:30 charon 14[ENC] <con2000|27> generating ID_PROT request 0 [ SA V V V V V ] Jun 26 11:54:30 charon 14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (180 bytes) Jun 26 11:54:30 charon 14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (124 bytes) Jun 26 11:54:30 charon 14[ENC] <con2000|27> parsed ID_PROT response 0 [ SA V V ] Jun 26 11:54:30 charon 14[IKE] <con2000|27> received DPD vendor ID Jun 26 11:54:30 charon 14[IKE] <con2000|27> received NAT-T (RFC 3947) vendor ID Jun 26 11:54:30 charon 14[ENC] <con2000|27> generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Jun 26 11:54:30 charon 14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (244 bytes) Jun 26 11:54:30 charon 14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (228 bytes) Jun 26 11:54:30 charon 14[ENC] <con2000|27> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Jun 26 11:54:30 charon 14[ENC] <con2000|27> generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ] Jun 26 11:54:30 charon 14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (108 bytes) Jun 26 11:54:30 charon 14[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes) Jun 26 11:54:30 charon 14[ENC] <con2000|27> parsed ID_PROT response 0 [ ID HASH N(INITIAL_CONTACT) ] Jun 26 11:54:30 charon 14[IKE] <con2000|27> IKE_SA con2000[27] established between Y.Y.Y.Y[Y.Y.Y.Y]...X.X.X.X[X.X.X.X] Jun 26 11:54:30 charon 14[ENC] <con2000|27> generating QUICK_MODE request 2802525773 [ HASH SA No KE ID ID ] Jun 26 11:54:30 charon 14[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (316 bytes) Jun 26 11:54:30 charon 05[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (284 bytes) Jun 26 11:54:30 charon 05[ENC] <con2000|27> parsed QUICK_MODE response 2802525773 [ HASH SA No KE ID ID ] Jun 26 11:54:30 charon 05[IKE] <con2000|27> received 28800s lifetime, configured 0s Jun 26 11:54:30 charon 05[IKE] <con2000|27> CHILD_SA con2000{21} established with SPIs cd528724_i d25fd0ff_o and TS 10.0.40.0/24|/0 === 192.168.9.0/24|/0 Jun 26 11:54:30 charon 05[ENC] <con2000|27> generating QUICK_MODE request 2802525773 [ HASH ] Jun 26 11:54:30 charon 05[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (60 bytes) Jun 26 11:54:30 charon 05[JOB] <con1000|24> DPD check timed out, enforcing DPD action Jun 26 11:54:41 charon 06[IKE] <con2000|27> sending DPD request Jun 26 11:54:41 charon 06[ENC] <con2000|27> generating INFORMATIONAL_V1 request 677304989 [ HASH N(DPD) ] Jun 26 11:54:41 charon 06[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes) Jun 26 11:54:41 charon 06[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes) Jun 26 11:54:41 charon 06[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3107884362 [ HASH N(DPD_ACK) ] Jun 26 11:54:52 charon 15[IKE] <con2000|27> sending DPD request Jun 26 11:54:52 charon 15[ENC] <con2000|27> generating INFORMATIONAL_V1 request 2696916538 [ HASH N(DPD) ] Jun 26 11:54:52 charon 15[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes) Jun 26 11:54:52 charon 15[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes) Jun 26 11:54:52 charon 15[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3479537267 [ HASH N(DPD_ACK) ] Jun 26 11:55:02 charon 13[IKE] <con2000|27> sending DPD request Jun 26 11:55:02 charon 13[ENC] <con2000|27> generating INFORMATIONAL_V1 request 3095528711 [ HASH N(DPD) ] Jun 26 11:55:02 charon 13[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes) Jun 26 11:55:02 charon 13[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes) Jun 26 11:55:02 charon 13[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3634033780 [ HASH N(DPD_ACK) ] Jun 26 11:55:12 charon 10[IKE] <con2000|27> sending DPD request Jun 26 11:55:12 charon 10[ENC] <con2000|27> generating INFORMATIONAL_V1 request 232827829 [ HASH N(DPD) ] Jun 26 11:55:12 charon 10[NET] <con2000|27> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (92 bytes) Jun 26 11:55:12 charon 10[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes) Jun 26 11:55:12 charon 10[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 4109418882 [ HASH N(DPD_ACK) ] Jun 26 11:55:15 charon 10[NET] <con2000|27> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (92 bytes) Jun 26 11:55:15 charon 10[ENC] <con2000|27> parsed INFORMATIONAL_V1 request 3176547172 [ HASH D ] Jun 26 11:55:15 charon 10[IKE] <con2000|27> received DELETE for IKE_SA con2000[27] Jun 26 11:55:15 charon 10[IKE] <con2000|27> deleting IKE_SA con2000[27] between Y.Y.Y.Y[Y.Y.Y.Y]...X.X.X.X[X.X.X.X]
Anyone any ideas what causing this and how we can resolve it ?
Thanks
-
@tomt said in IPSEC VPN Drops around 40 seconds.:
Jun 26 11:55:15 charon 10[IKE] <con2000|27> received DELETE for IKE_SA con2000[27]
The other side is deleting the tunnel. You probably need to look at the logs there to see what it doesn't like. pfSense is just doing as it has been told.
-
On the Draytek, disable ping to keep alive if it is enabled ...
-
Thanks for the replies.
This is still happening and ping from the draytek is disabled.Stuck as to why..
-
What do the logs on the Draytek say?
pfSense can't tell you why the Draytek sent the delete command, only the Draytek can.