IPSec Tunnel down all of a sudden with no changes. Can access both ends.



  • So with no changes to my IPSec tunnel config (hasn't changed since I set it up months ago), it is showing as down today. My IPSec logs are showing the following:

    Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_SA con1[12] state change: CONNECTING => DESTROYING
    Aug 9 10:12:29	charon		09[CHD] <con1|12> CHILD_SA con1{9} state change: CREATED => DESTROYING
    Aug 9 10:12:29	charon		09[IKE] <con1|12> received AUTHENTICATION_FAILED notify error
    Aug 9 10:12:29	charon		09[ENC] <con1|12> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
    Aug 9 10:12:29	charon		09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] toSITE1_WAN_IP[500] (65 bytes)
    Aug 9 10:12:29	charon		09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (309 bytes)
    Aug 9 10:12:29	charon		09[ENC] <con1|12> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
    Aug 9 10:12:29	charon		09[IKE] <con1|12> establishing CHILD_SA con1{9} reqid 2
    Aug 9 10:12:29	charon		09[CFG] <con1|12> configured proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ
    Aug 9 10:12:29	charon		09[CFG] <con1|12> 192.168.2.0/24|/0
    Aug 9 10:12:29	charon		09[CFG] <con1|12> proposing traffic selectors for other:
    Aug 9 10:12:29	charon		09[CFG] <con1|12> 10.0.10.0/24|/0
    Aug 9 10:12:29	charon		09[CFG] <con1|12> proposing traffic selectors for us:
    Aug 9 10:12:29	charon		09[IKE] <con1|12> successfully created shared key MAC
    Aug 9 10:12:29	charon		09[IKE] <con1|12> authentication of 'SITE1_WAN_IP' (myself) with pre-shared key
    Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_AUTH task
    Aug 9 10:12:29	charon		09[IKE] <con1|12> IKE_CERT_PRE task
    Aug 9 10:12:29	charon		09[IKE] <con1|12> reinitiating already active tasks
    Aug 9 10:12:29	charon		09[CFG] <con1|12> received supported signature hash algorithms: sha256 sha384 sha512 identity
    Aug 9 10:12:29	charon		09[CFG] <con1|12> selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
    Aug 9 10:12:29	charon		09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
    Aug 9 10:12:29	charon		09[CFG] <con1|12> received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
    Aug 9 10:12:29	charon		09[CFG] <con1|12> proposal matches
    Aug 9 10:12:29	charon		09[CFG] <con1|12> selecting proposal:
    Aug 9 10:12:29	charon		09[IKE] <con1|12> received SIGNATURE_HASH_ALGORITHMS notify
    Aug 9 10:12:29	charon		09[IKE] <con1|12> received FRAGMENTATION_SUPPORTED notify
    Aug 9 10:12:29	charon		09[ENC] <con1|12> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
    Aug 9 10:12:29	charon		09[NET] <con1|12> received packet: from SITE2_WAN_IP[500] to SITE1_WAN_IP[500] (456 bytes)
    Aug 9 10:12:28	charon		09[NET] <con1|12> sending packet: from SITE1_WAN_IP[500] to SITE2_WAN_IP[500] (456 bytes)
    Aug 9 10:12:28	charon		09[ENC] <con1|12> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Aug 9 10:12:28	charon		09[CFG] <con1|12> sending supported signature hash algorithms: sha256 sha384 sha512 identity
    Aug 9 10:12:28	charon		09[CFG] <con1|12> configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/MODP_2048
    Aug 9 10:12:28	charon		09[IKE] <con1|12> IKE_SA con1[12] state change: CREATED => CONNECTING
    Aug 9 10:12:28	charon		09[IKE] <con1|12> initiating IKE_SA con1[12] to SITE2_WAN_IP
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_AUTH_LIFETIME task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating CHILD_CREATE task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CONFIG task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CERT_POST task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_AUTH task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_CERT_PRE task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_NATD task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_INIT task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating IKE_VENDOR task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> activating new tasks
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing CHILD_CREATE task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_AUTH_LIFETIME task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CONFIG task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CERT_POST task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_AUTH task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_CERT_PRE task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_NATD task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_INIT task
    Aug 9 10:12:28	charon		09[IKE] <con1|12> queueing IKE_VENDOR task
    Aug 9 10:12:28	charon		09[KNL] creating acquire job for policy SITE1_WAN_IP/32|/0 === SITE2_WAN_IP/32|/0 with reqid {2}
    

    WAN is up on both ends, I can access via Teamviewer. Not sure where to start here since nothing has changed.



  • So turns out that the SITE1 IP address changed last night. Even though I'm using Dynamic DNS on both ends and both ends recognized the change, the tunnel would not reconnect until a reboot which has now fixed the issue. Weird one.