IPSec Routing stops working??



  • Hi ho everyone,

    as i read through some of the other questions here, i found some similaries to my problem.

    I got an SG-3100 appliance with the actual 2.4.3-RELEASE-p1 (arm) runnind and some ipsec vpn tunnels.
    From time to time, one or more tunnels stopped working. Phase 1 and 2 seems to be up, but it is not possible to ping anything through the tunnel.
    To resolve the issue the complete system has to be restartet. As there are different vendors (Fortinet, sophos, checkpoint) involved i assume, that the pfsense is causing the problem.

    Is there anything in the logfiles where i have to search for, as i do not see anything problematic or problem causing in there?

    Thanks in advance

    Alex


  • Rebel Alliance Developer Netgate

    The IPsec log is the first place to look, Status > System Logs, IPsec tab.

    Look at the logs when the problem happens, you can also increase the number of lines shown using the wrench icon at the top.

    If you can't see anything noteworthy in the logs you can adjust the IPsec log levels at VPN > IPsec, *Advanced Settings tab. The default settings have IKE SA, IKE Child SA, and Configuration Backend set to Diag and all others set to Control. That is usually the best combination of detail without getting too overloaded with info.



  • I have the same problem with the exception that I have only 2 sites both with PfSense [exclusively]. WAN ports are configured for PPPoE and connected directly to 1Gbps FTTH media converters.

    I don't have any routing issues with OpenVPN comparatively however its performance is nowhere near that of IPSec [in my case IPSec will drive 1Gbps symmetric/FD] possibly because it doesn't support multi-core processing.

    At somewhere between an hour or two I loose routing between the sites. Everything looks fine on Status:IPSec. It would appear this has been happening to other PfSense users for 3+ years.



  • Update: I've upgraded to 2.4.3-RELEASE-p1 switched back to IPSec from OpenVPN and haven't experienced the issue ~72hrs and counting.