Connection drops after ~12h and does not reconnect



  • I've had a Linksys WRV200 VPN routers acting as a VPN gateway at an office for some time and four WRV200 VPN routers connecting to it (remote sites).  I have changed one of these to pfSense and while the others continue to work fine, the pfSense one experiences a problem.

    It connects fine, providing great access, speed and so on.  After maybe 12 hours, it disconnects and won't pick it up again.  If I restart IPSec on pfSense, it reconnects and works again for the usual period of time.  It successfully establishes an encryption tunnel with 3dec-cbc and hmac-sha1 via ESP, however as stated, then drops the connection after some period of time (usually about 12 hours).

    Logs on pfSense show the following four messages repeating without fail once per minute
    racoon: INFO: delete phase 2 handler.
    racoon: [office]: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP <removed office="" ip="">[0]->99.247.58.103[0]
    racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    racoon: INFO: delete phase 2 handler.

    VPN:IPSec:
    Interface: WAN
    Local subnet: LAN subnet
    Remote subnet: 192.168.16.0/24
    Remote Gateway: <removed office="" ip="" address="">Description: office
    Phase 1:
    Negotiation mode: main
    My identifier: My IP address
    Encryption algorithm: 3DES
    Hash algorithm: SHA1
    DH key group: 2
    Lifetime: <blank>Authentication Method: pre-shared key
    Pre-shared key: <removed>Certificate, key, peer-certificate: <blank>Phase 2:
    Ptotocol: ESP
    Encryption Algorithms: 3DES, Blowfish
    Hash Algorithms: SHA1, MD5
    PFS key group: off
    Lifetime: <blank>Keep alive:
    Ping host: <blank>WRV200 configuration:
    VPN tunnel: enabled
    Tunnel name: office
    NAT Traversal: disabled
    Local secure group: subnet / 192.168.16.0 / 255.255.255.0
    Remote secure group: any
    Remote secure gateway: any
    Key management:
      Key exchange method: Auto (IKE) [only option]
      Operation mode: Main
      ISA/KMP Encryption Method; Auto
      ISA Authentication Method: MD5 [can't be changed- greyed]
      ISA/KMP DH Group: Group 2 (1024 bits)
      ISA/KMP Key lifetime(s): 28800
      PFS: Disabled
      IPSec Encryption Method: Auto
      IPSec authentication method: MD5 [can't be changed- greyed]
      IPSet key lifetimes: 3600
      Pre-shared key: <removed>Tunnel Options:
      Dead peer detection: checked
      Detection delay: 30
      Detection timeout: 120
      DPD Action: Recover connection
      Anti-replay: checked</removed></blank></blank></blank></removed></blank></removed></removed>


Log in to reply