IPsec Stop working after few commands



  • 2 site with static ip, ipsec from pfsense to pfsense
    i configured ipsec with default option, i have only set remote gateway and pre-shared key
    for phase2
    on site A i have 192.168.3.0/24
    on site B i have 172.16.0.0/24

    the tunnel is established, the phase2 say it's created,
    i can ping from side A to side B,
    i can ping from side B to side A
    if i ssh from side A to side B, i can login, i can do some ls but if i do for example a dmesg i receve the first 10/15 lines then the connection drop, the same if i try to access samba, and i can't reconnect, ping stop working from both side. i need to restart ipsec or wait some times to make it respond to ping again
    ipsec start to log this

    Aug 24 08:53:41 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI cc2d60b7
    Aug 24 08:53:41 	charon 	38977 	06[KNL] querying SAD entry with SPI cc2d60b7
    Aug 24 08:53:41 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI c04d279c
    Aug 24 08:53:41 	charon 	38977 	06[KNL] querying SAD entry with SPI c04d279c
    Aug 24 08:53:36 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI cc2d60b7
    Aug 24 08:53:36 	charon 	38977 	06[KNL] querying SAD entry with SPI cc2d60b7
    Aug 24 08:53:36 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI c04d279c
    Aug 24 08:53:36 	charon 	38977 	06[KNL] querying SAD entry with SPI c04d279c
    Aug 24 08:53:33 	charon 	38977 	06[KNL] <con1000|8> querying policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
    Aug 24 08:53:33 	charon 	38977 	06[KNL] querying policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
    Aug 24 08:53:33 	charon 	38977 	04[NET] sending packet: from 217.xxx.xx.167[500] to 151.xxx.xxx.210[500]
    Aug 24 08:53:33 	charon 	38977 	04[NET] sending packet: from 217.xxx.xx.167[500] to 151.xxx.xxx.210[500]
    Aug 24 08:53:33 	charon 	38977 	06[NET] <con1000|8> sending packet: from 217.xxx.xxx.167[500] to 151.xxx.xxx.210[500] (80 bytes)
    Aug 24 08:53:33 	charon 	38977 	06[NET] sending packet: from 217.xxx.xxx.167[500] to 151.xxx.xxx.210[500] (80 bytes)
    Aug 24 08:53:33 	charon 	38977 	06[ENC] <con1000|8> generating INFORMATIONAL response 831 [ ]
    Aug 24 08:53:33 	charon 	38977 	06[ENC] generating INFORMATIONAL response 831 [ ]
    Aug 24 08:53:33 	charon 	38977 	06[ENC] <con1000|8> parsed INFORMATIONAL request 831 [ ]
    Aug 24 08:53:33 	charon 	38977 	06[ENC] parsed INFORMATIONAL request 831 [ ]
    Aug 24 08:53:33 	charon 	38977 	06[NET] <con1000|8> received packet: from 151.xxx.xxx.210[500] to 217.1xxx.xxx.167[500] (80 bytes)
    Aug 24 08:53:33 	charon 	38977 	06[NET] received packet: from 151.xxx.xxx.210[500] to 217.xxx.xxx.167[500] (80 bytes)
    Aug 24 08:53:33 	charon 	38977 	03[NET] waiting for data on sockets
    Aug 24 08:53:33 	charon 	38977 	03[NET] waiting for data on sockets
    

    i also tried with openvpn, same problem, the only difference is that with openvpn on ssh i receve the error "broken pipe" instead of "network error"

    site A is pppoe with static address assigned
    site B is a /29 where one address is assigned to pfsense others ip are alias

    log of ipsec at connection

    Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> received AUTH_LIFETIME of 27914s, scheduling reauthentication in 27374s
    Aug 24 09:14:28 	charon 	38977 	11[IKE] received AUTH_LIFETIME of 27914s, scheduling reauthentication in 27374s
    Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> CHILD_SA con1000{41} established with SPIs cae1ccd1_i c05282cd_o and TS 192.168.3.0/24|/0 === 172.16.0.0/24|/0
    Aug 24 09:14:28 	charon 	38977 	11[IKE] CHILD_SA con1000{41} established with SPIs cae1ccd1_i c05282cd_o and TS 192.168.3.0/24|/0 === 172.16.0.0/24|/0
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> updating policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out
    Aug 24 09:14:28 	charon 	38977 	11[KNL] updating policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out already exists, increasing refcount
    Aug 24 09:14:28 	charon 	38977 	11[KNL] policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out already exists, increasing refcount
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> updating policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
    Aug 24 09:14:28 	charon 	38977 	11[KNL] updating policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in already exists, increasing refcount
    Aug 24 09:14:28 	charon 	38977 	11[KNL] policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in already exists, increasing refcount
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using integrity algorithm HMAC_SHA2_256_128 with key size 256
    Aug 24 09:14:28 	charon 	38977 	11[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using encryption algorithm AES_CBC with key size 128
    Aug 24 09:14:28 	charon 	38977 	11[KNL] using encryption algorithm AES_CBC with key size 128
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> adding SAD entry with SPI c05282cd and reqid {3}
    Aug 24 09:14:28 	charon 	38977 	11[KNL] adding SAD entry with SPI c05282cd and reqid {3}
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using integrity algorithm HMAC_SHA2_256_128 with key size 256
    Aug 24 09:14:28 	charon 	38977 	11[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using encryption algorithm AES_CBC with key size 128
    Aug 24 09:14:28 	charon 	38977 	11[KNL] using encryption algorithm AES_CBC with key size 128
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> adding SAD entry with SPI cae1ccd1 and reqid {3}
    Aug 24 09:14:28 	charon 	38977 	11[KNL] adding SAD entry with SPI cae1ccd1 and reqid {3}
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> deleted SAD entry with SPI cae1ccd1
    Aug 24 09:14:28 	charon 	38977 	11[KNL] deleted SAD entry with SPI cae1ccd1
    Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> deleting SAD entry with SPI cae1ccd1
    Aug 24 09:14:28 	charon 	38977 	11[KNL] deleting SAD entry with SPI cae1ccd1
    Aug 24 09:14:28 	charon 	38977 	11[CFG] <con1000|9> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
    Aug 24 09:14:28 	charon 	38977 	11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
    Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Aug 24 09:14:28 	charon 	38977 	11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
    Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> maximum IKE_SA lifetime 28428s
    Aug 24 09:14:28 	charon 	38977 	11[IKE] maximum IKE_SA lifetime 28428s
    Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> scheduling reauthentication in 27888s
    Aug 24 09:14:28 	charon 	38977 	11[IKE] scheduling reauthentication in 27888s
    Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> IKE_SA con1000[9] established between 217.xxx.xxx.167[217.xxx.xxx.167]...151.xxx.xxx.210[151.xxx.xxx.210]
    Aug 24 09:14:28 	charon 	38977 	11[IKE] IKE_SA con1000[9] established between 217.xxx.xxx.167[217.xxx.xxx.167]...151.xxx.xxx.210[151.xxx.xxx.210]
    

    i tried to set MSS clamping to 1300 as suggested from https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html
    nothing changed
    all interfaces have different subnets Site A != Site B
    site A is 2.5.0
    site B is a vm with 2.4.4-p3

    what can i try?


  • LAYER 8 Netgate

    Sounds like something is killing your states. Either the states for the VPN connection or the states for the connections across the tunnel.



  • i'm still testing if now it's all good before i can say that it's resolved
    after what you told me I realized that sometimes I have to reload the web pages and that the forum itself sometimes tells me that I lose the connection

    the first thing that came to mind that could kill the states without any apparent reason was this setting...

    Disable Gateway Monitoring Action

    for the moment the problem is not present. let's see if it continues


  • LAYER 8 Netgate

    Probably not. It's usually this one:

    27cc2af4-c954-429f-a00c-4c8853373d47-image.png



  • nope i don't have that checked, plus i never saw my gateway down
    🤔


  • Rebel Alliance Developer Netgate

    Either the states are being removed or you have some asymmetric routing happening that is cutting off the connection after the half-open state times out.


Log in to reply