Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnels going down sometimes when phase 2 renegotiation happens.

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 381 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      careymichael
      last edited by stephenw10

      It seems that in phase 2 there are issues with re-negotiation. My setup is as follows.

      EU Netgate 2.4.4-p2 tunnel to CA Netgate 2.4.4-p2
      Works fine
      EU Netgate 2.4.4-p2 tunnel to AWS
      Works fine
      EU Netgate 2.4.4-p2 tunnel to BOS Netgate 2.4.4-p3
      Randomly tunnel goes down
      CA Netgate 2.4.4-p2 tunnel to AWS
      Works fine
      CA Netgate 2.4.4-p2 tunnel to BOS Netgate 2.4.4-p3
      Randomly tunnel goes down
      Bos Netgate 2.4.4-p3 tunnel to AWS
      Works fine

      Sometimes it will negotiate one or two times. Then suddenly no traffic will pass though the tunnel There will usually be at least 2 sometimes more child SA entries under status. One will have the normal rekey in positive seconds the other ones will have negative seconds i.e. -462 sec. If I remote a machine from either the EU or CA networks and start pinging back to BOS. In a min or two (~100-200 pings) the tunnel will start passing traffic again for another hour or two. If this happens and I ping from BOS to EU/CA the tunnel instantly comes up for an hour or two. All are configured as follows.

      IKEv1 (I started with v2 but changed as part of troubleshooting this)
      IPv4
      Interface WAN
      Remote gateway [ip address]
      Auth Mutual PSK
      Mode Main
      My ID My IP
      Peer ID Peer IP
      Encryption AES 128 Sha 256 DH 14 (2048)
      Lifetime 28800
      Disable Key Unchecked
      Margintime Blank
      Responder Unchecked
      Enable DPD Checked
      Delay 10
      Max Fail 5

      Phase 2
      Mode Tunnel IPv4
      local net Lan Subnet
      NAT None
      Remote Network [network address]
      Protocol
      ESP
      Encryption Algor AES and AES128-GCM both 128 bits
      Hash SHA256
      PFS key group 14 (2048 bit)
      Lifetime 3600
      Auto ping host [a live ip on the other end of the tunnel that is pingable using ping from the diag menu and selecting LAN as the source]

      I have tried the following
      Changed from IKE2 to 1
      Made BOS the initiators and CA and EU responders only
      This broke when renegotiation happened.
      Made CA and EU initiators and BOS responder only.
      This broke when renegotiation happened.
      The two above seems to have fixed a similar issue with someone else. It didn't work for me.

      Could this be a bug between 2.4.4-p2 and 2.4.4-p3? The tunnels between CA and EU have been up for months. The BOS to AWS never seems to go down. I'm not sure where to go from here so any help would be great.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Well you should have everything at p3 anyway. I'm not aware of any particular issue between p2 and p3 though.

        Do you have any logs showing the negotiation failure from either end?

        Steve

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.