IPSEC + VTI + IKEV2 - will not auto-reconnect



  • I'm using IKEv2 because I had issues with IKEv1. IKEv2 has been working better. Today the internet went down for a bit at one end and the tunnel won't come back automatically. I had to manually click "Connect VPN" in the GUI. Does anyone know what the problem might be with this?

    Settings: All default except IKEv2.
    Version: 2.4.4-p3

    # While it was down...
    # ipsec status
    Shunted Connections:
       bypasslan:  10.11.0.0/24|/0 === 10.11.0.0/24|/0 PASS
    Security Associations (0 up, 0 connecting):
      none
    
    # ipsec.log show this over and over on both sides...
    
    Aug 29 13:54:24 gw charon: 05[KNL] received an SADB_ACQUIRE with policy id 38 but no matching policy found
    Aug 29 13:54:24 gw charon: 05[KNL] creating acquire job for policy {WANIP}/32|/0 === {WANIP}/32|/0 with reqid {0}
    Aug 29 13:54:24 gw charon: 05[CFG] trap not found, unable to acquire reqid 0
    

  • LAYER 8 Netgate

    It will not initiate until there is interesting traffic. Was there interesting traffic?



  • @Derelict if icmp counts, then yes.

    I think there was DNS traffic as well but I didn’t actually verify that.


  • LAYER 8 Netgate

    Then it would have initiated. If it did not connect you would need to look in the IPsec logs to see why.

    You also need to be 100% sure the traffic was interesting. For instance if you ping something across the tunnel from the firewall you have to set the source address to something in the local networks in the IPsec phase 2.



  • @Derelict
    Well, VTI is routed, so I'm not sure what you mean by source address. Would the traffic have to be coming from the numbered VTI interface? Maybe I need to setup a cron job to ping from the VTI interface on the pfsense itself?

    These are the logs from the two sides (links below). I'm not sure what is relevant so I posted the whole thing. The internet connection was down at the manuf site from 11:40 to 12:01. After 12:01 I wasn't able to get the VPN to reconnect by itself.

    office: https://pastebin.com/2vqEF2Fp
    manuf: https://pastebin.com/jHXpAiwt


Log in to reply