IPSec tunnels going down sometimes when phase 2 renegotiation happens.
-
It seems that in phase 2 there are issues with re-negotiation. My setup is as follows.
EU Netgate 2.4.4-p2 tunnel to CA Netgate 2.4.4-p2
Works fine
EU Netgate 2.4.4-p2 tunnel to AWS
Works fine
EU Netgate 2.4.4-p2 tunnel to BOS Netgate 2.4.4-p3
Randomly tunnel goes down
CA Netgate 2.4.4-p2 tunnel to AWS
Works fine
CA Netgate 2.4.4-p2 tunnel to BOS Netgate 2.4.4-p3
Randomly tunnel goes down
Bos Netgate 2.4.4-p3 tunnel to AWS
Works fineSometimes it will negotiate one or two times. Then suddenly no traffic will pass though the tunnel There will usually be at least 2 sometimes more child SA entries under status. One will have the normal rekey in positive seconds the other ones will have negative seconds i.e. -462 sec. If I remote a machine from either the EU or CA networks and start pinging back to BOS. In a min or two (~100-200 pings) the tunnel will start passing traffic again for another hour or two. If this happens and I ping from BOS to EU/CA the tunnel instantly comes up for an hour or two. All are configured as follows.
IKEv1 (I started with v2 but changed as part of troubleshooting this)
IPv4
Interface WAN
Remote gateway [ip address]
Auth Mutual PSK
Mode Main
My ID My IP
Peer ID Peer IP
Encryption AES 128 Sha 256 DH 14 (2048)
Lifetime 28800
Disable Key Unchecked
Margintime Blank
Responder Unchecked
Enable DPD Checked
Delay 10
Max Fail 5Phase 2
Mode Tunnel IPv4
local net Lan Subnet
NAT None
Remote Network [network address]
Protocol
ESP
Encryption Algor AES and AES128-GCM both 128 bits
Hash SHA256
PFS key group 14 (2048 bit)
Lifetime 3600
Auto ping host [a live ip on the other end of the tunnel that is pingable using ping from the diag menu and selecting LAN as the source]I have tried the following
Changed from IKE2 to 1
Made BOS the initiators and CA and EU responders only
This broke when renegotiation happened.
Made CA and EU initiators and BOS responder only.
This broke when renegotiation happened.
The two above seems to have fixed a similar issue with someone else. It didn't work for me.Could this be a bug between 2.4.4-p2 and 2.4.4-p3? The tunnels between CA and EU have been up for months. The BOS to AWS never seems to go down. I'm not sure where to go from here so any help would be great.
-
Well you should have everything at p3 anyway. I'm not aware of any particular issue between p2 and p3 though.
Do you have any logs showing the negotiation failure from either end?
Steve