IPsec Stop working after few commands

kiokoman

2 site with static ip, ipsec from pfsense to pfsense
i configured ipsec with default option, i have only set remote gateway and pre-shared key
for phase2
on site A i have 192.168.3.0/24
on site B i have 172.16.0.0/24

the tunnel is established, the phase2 say it's created,
i can ping from side A to side B,
i can ping from side B to side A
if i ssh from side A to side B, i can login, i can do some ls but if i do for example a dmesg i receve the first 10/15 lines then the connection drop, the same if i try to access samba, and i can't reconnect, ping stop working from both side. i need to restart ipsec or wait some times to make it respond to ping again
ipsec start to log this

Aug 24 08:53:41 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI cc2d60b7
Aug 24 08:53:41 	charon 	38977 	06[KNL] querying SAD entry with SPI cc2d60b7
Aug 24 08:53:41 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI c04d279c
Aug 24 08:53:41 	charon 	38977 	06[KNL] querying SAD entry with SPI c04d279c
Aug 24 08:53:36 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI cc2d60b7
Aug 24 08:53:36 	charon 	38977 	06[KNL] querying SAD entry with SPI cc2d60b7
Aug 24 08:53:36 	charon 	38977 	06[KNL] <con1000|8> querying SAD entry with SPI c04d279c
Aug 24 08:53:36 	charon 	38977 	06[KNL] querying SAD entry with SPI c04d279c
Aug 24 08:53:33 	charon 	38977 	06[KNL] <con1000|8> querying policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
Aug 24 08:53:33 	charon 	38977 	06[KNL] querying policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
Aug 24 08:53:33 	charon 	38977 	04[NET] sending packet: from 217.xxx.xx.167[500] to 151.xxx.xxx.210[500]
Aug 24 08:53:33 	charon 	38977 	04[NET] sending packet: from 217.xxx.xx.167[500] to 151.xxx.xxx.210[500]
Aug 24 08:53:33 	charon 	38977 	06[NET] <con1000|8> sending packet: from 217.xxx.xxx.167[500] to 151.xxx.xxx.210[500] (80 bytes)
Aug 24 08:53:33 	charon 	38977 	06[NET] sending packet: from 217.xxx.xxx.167[500] to 151.xxx.xxx.210[500] (80 bytes)
Aug 24 08:53:33 	charon 	38977 	06[ENC] <con1000|8> generating INFORMATIONAL response 831 [ ]
Aug 24 08:53:33 	charon 	38977 	06[ENC] generating INFORMATIONAL response 831 [ ]
Aug 24 08:53:33 	charon 	38977 	06[ENC] <con1000|8> parsed INFORMATIONAL request 831 [ ]
Aug 24 08:53:33 	charon 	38977 	06[ENC] parsed INFORMATIONAL request 831 [ ]
Aug 24 08:53:33 	charon 	38977 	06[NET] <con1000|8> received packet: from 151.xxx.xxx.210[500] to 217.1xxx.xxx.167[500] (80 bytes)
Aug 24 08:53:33 	charon 	38977 	06[NET] received packet: from 151.xxx.xxx.210[500] to 217.xxx.xxx.167[500] (80 bytes)
Aug 24 08:53:33 	charon 	38977 	03[NET] waiting for data on sockets
Aug 24 08:53:33 	charon 	38977 	03[NET] waiting for data on sockets

i also tried with openvpn, same problem, the only difference is that with openvpn on ssh i receve the error "broken pipe" instead of "network error"

site A is pppoe with static address assigned
site B is a /29 where one address is assigned to pfsense others ip are alias

log of ipsec at connection

Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> received AUTH_LIFETIME of 27914s, scheduling reauthentication in 27374s
Aug 24 09:14:28 	charon 	38977 	11[IKE] received AUTH_LIFETIME of 27914s, scheduling reauthentication in 27374s
Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> CHILD_SA con1000{41} established with SPIs cae1ccd1_i c05282cd_o and TS 192.168.3.0/24|/0 === 172.16.0.0/24|/0
Aug 24 09:14:28 	charon 	38977 	11[IKE] CHILD_SA con1000{41} established with SPIs cae1ccd1_i c05282cd_o and TS 192.168.3.0/24|/0 === 172.16.0.0/24|/0
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> updating policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out
Aug 24 09:14:28 	charon 	38977 	11[KNL] updating policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out already exists, increasing refcount
Aug 24 09:14:28 	charon 	38977 	11[KNL] policy 192.168.3.0/24|/0 === 172.16.0.0/24|/0 out already exists, increasing refcount
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> updating policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
Aug 24 09:14:28 	charon 	38977 	11[KNL] updating policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in already exists, increasing refcount
Aug 24 09:14:28 	charon 	38977 	11[KNL] policy 172.16.0.0/24|/0 === 192.168.3.0/24|/0 in already exists, increasing refcount
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using integrity algorithm HMAC_SHA2_256_128 with key size 256
Aug 24 09:14:28 	charon 	38977 	11[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using encryption algorithm AES_CBC with key size 128
Aug 24 09:14:28 	charon 	38977 	11[KNL] using encryption algorithm AES_CBC with key size 128
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> adding SAD entry with SPI c05282cd and reqid {3}
Aug 24 09:14:28 	charon 	38977 	11[KNL] adding SAD entry with SPI c05282cd and reqid {3}
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using integrity algorithm HMAC_SHA2_256_128 with key size 256
Aug 24 09:14:28 	charon 	38977 	11[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> using encryption algorithm AES_CBC with key size 128
Aug 24 09:14:28 	charon 	38977 	11[KNL] using encryption algorithm AES_CBC with key size 128
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> adding SAD entry with SPI cae1ccd1 and reqid {3}
Aug 24 09:14:28 	charon 	38977 	11[KNL] adding SAD entry with SPI cae1ccd1 and reqid {3}
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> deleted SAD entry with SPI cae1ccd1
Aug 24 09:14:28 	charon 	38977 	11[KNL] deleted SAD entry with SPI cae1ccd1
Aug 24 09:14:28 	charon 	38977 	11[KNL] <con1000|9> deleting SAD entry with SPI cae1ccd1
Aug 24 09:14:28 	charon 	38977 	11[KNL] deleting SAD entry with SPI cae1ccd1
Aug 24 09:14:28 	charon 	38977 	11[CFG] <con1000|9> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug 24 09:14:28 	charon 	38977 	11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 24 09:14:28 	charon 	38977 	11[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> maximum IKE_SA lifetime 28428s
Aug 24 09:14:28 	charon 	38977 	11[IKE] maximum IKE_SA lifetime 28428s
Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> scheduling reauthentication in 27888s
Aug 24 09:14:28 	charon 	38977 	11[IKE] scheduling reauthentication in 27888s
Aug 24 09:14:28 	charon 	38977 	11[IKE] <con1000|9> IKE_SA con1000[9] established between 217.xxx.xxx.167[217.xxx.xxx.167]...151.xxx.xxx.210[151.xxx.xxx.210]
Aug 24 09:14:28 	charon 	38977 	11[IKE] IKE_SA con1000[9] established between 217.xxx.xxx.167[217.xxx.xxx.167]...151.xxx.xxx.210[151.xxx.xxx.210]

i tried to set MSS clamping to 1300 as suggested from https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-troubleshooting.html
nothing changed
all interfaces have different subnets Site A != Site B
site A is 2.5.0
site B is a vm with 2.4.4-p3

what can i try?

Derelict

Sounds like something is killing your states. Either the states for the VPN connection or the states for the connections across the tunnel.

kiokoman

i'm still testing if now it's all good before i can say that it's resolved
after what you told me I realized that sometimes I have to reload the web pages and that the forum itself sometimes tells me that I lose the connection

the first thing that came to mind that could kill the states without any apparent reason was this setting...

Disable Gateway Monitoring Action

for the moment the problem is not present. let's see if it continues

Derelict

Probably not. It's usually this one:

kiokoman

nope i don't have that checked, plus i never saw my gateway down

jimp

Either the states are being removed or you have some asymmetric routing happening that is cutting off the connection after the half-open state times out.