IPSec tunnels going down sometimes when phase 2 renegotiation happens.



  • It seems that in phase 2 there are issues with re-negotiation. My setup is as follows.

    EU Netgate 2.4.4-p2 tunnel to CA Netgate 2.4.4-p2
    Works fine
    EU Netgate 2.4.4-p2 tunnel to AWS
    Works fine
    EU Netgate 2.4.4-p2 tunnel to BOS Netgate 2.4.4-p3
    Randomly tunnel goes down
    CA Netgate 2.4.4-p2 tunnel to AWS
    Works fine
    CA Netgate 2.4.4-p2 tunnel to BOS Netgate 2.4.4-p3
    Randomly tunnel goes down
    Bos Netgate 2.4.4-p3 tunnel to AWS
    Works fine

    Sometimes it will negotiate one or two times. Then suddenly no traffic will pass though the tunnel There will usually be at least 2 sometimes more child SA entries under status. One will have the normal rekey in positive seconds the other ones will have negative seconds i.e. -462 sec. If I remote a machine from either the EU or CA networks and start pinging back to BOS. In a min or two (~100-200 pings) the tunnel will start passing traffic again for another hour or two. If this happens and I ping from BOS to EU/CA the tunnel instantly comes up for an hour or two. All are configured as follows.

    IKEv1 (I started with v2 but changed as part of troubleshooting this)
    IPv4
    Interface WAN
    Remote gateway [ip address]
    Auth Mutual PSK
    Mode Main
    My ID My IP
    Peer ID Peer IP
    Encryption AES 128 Sha 256 DH 14 (2048)
    Lifetime 28800
    Disable Key Unchecked
    Margintime Blank
    Responder Unchecked
    Enable DPD Checked
    Delay 10
    Max Fail 5

    Phase 2
    Mode Tunnel IPv4
    local net Lan Subnet
    NAT None
    Remote Network [network address]
    Protocol
    ESP
    Encryption Algor AES and AES128-GCM both 128 bits
    Hash SHA256
    PFS key group 14 (2048 bit)
    Lifetime 3600
    Auto ping host [a live ip on the other end of the tunnel that is pingable using ping from the diag menu and selecting LAN as the source]

    I have tried the following
    Changed from IKE2 to 1
    Made BOS the initiators and CA and EU responders only
    This broke when renegotiation happened.
    Made CA and EU initiators and BOS responder only.
    This broke when renegotiation happened.
    The two above seems to have fixed a similar issue with someone else. It didn't work for me.

    Could this be a bug between 2.4.4-p2 and 2.4.4-p3? The tunnels between CA and EU have been up for months. The BOS to AWS never seems to go down. I'm not sure where to go from here so any help would be great.


  • Netgate Administrator

    Well you should have everything at p3 anyway. I'm not aware of any particular issue between p2 and p3 though.

    Do you have any logs showing the negotiation failure from either end?

    Steve


Log in to reply