What will it take to get IPSEC stable on here? Bounty?



  • I posted a bounty for fixing the IPSEC issues on 1.2.2 but the bounty is also good for 1.2.3.  I just need to get the VPN working as the DPD not working is causing me to have to log into the remote firewall and delete the SAs for that tunnel about 10 times per day.  Maybe others will join in to make this more of a priority since it seems there are alot of people having problems with IPSEC tunnels staying up.

    Maybe this is not a problem that can be fixed but any input will be much appreciated.  I will change the bounty to 1.2.2 or 1.2.3.  Anyone else who needs this fixed as soon as possible please join in as there is very little feedback on the 1.2.3 board for this issue or bug.

    Thanks,

    Mark



  • I really hate seeing a call for help go unanswered or at worse being ignored. I don't have anything to tell you, but being a hero member I'm sure you've already gone through and searched for a resolution and up to this point have you done a reinstall instead of an upgrade? If so, did you experience the same results? And has anyone else experienced the same results as you? And lastly, is this a point where you may feel paying for support may help resolve your problem?



  • He's already said it's worth $200 for him to get it fixed by posting a bounty, but I agree - perhaps a commercial support option may get faster results.

    Fix the VPN IPSEC Dead Peer Detection in 1.2.2 or 1.2.3 {$200}

    For $600 he can get a 5-hour support contract to get it fixed as well.

    pfSense Support Subscription

    I don't have a ton of experience with pfSense-IPSec, but in my experience I haven't had any issues like this.



  • I don't think it is a configuration issue.  I think it is something to do with the VPN functionality.  Multiple people have had problems with the same thing with no positive response or result.  I have spent more than 15 hours in testing and troubleshooting, even working with Cisco for many hours to verify the Cisco device is not the problem.  I cannot afford to spend $600 on that with what I currently have posted in bounties.  It is too bad there is no per incident or ability to buy 1 hour.  Most of my problems do not require phone support and are easily resolved searching the web or working it out on my own late at night. :-).  I just don't want to spend a bunch of money to have someone tell me it is a problem with the current ability of the vpn built into pfsense and that I need to wait for a new release.

    I am fairly certain that the issue is with the pfSense since the tunnel on the cisco is down and the tunnel on the pfsense is up and green and the vpn log shows nothing being wrong.



  • I am running the 1.2.3 snapshot which I was able to successfully create a IPSec connection to our corporate SonicWall NSA 3500.

    Current snapshot on the remote site is as follows:

    1.2.3-RC1
    built on Thu Apr 2 13:08:22 EDT 2009

    I haven't updated it to the latest snapshot in fear it might break it.  I don't think it will but until I have another box to test it with I can't try it just yet.

    Months before I finally convinced my boss to try out PfSense in production environment we were using the Symantic 360 Security Firewall at our remote offices and switched our main filewall over to Sonicwall NSA 3500.  We were having problems with IPSec as it wasn't renewing properly.  Turns out the stupid GUI wanted the renewal times in seconds NOT minutes as listed on other remote firewalls.  Soon as we discovered the opps we fixed that.

    Ever since that mess I paid more attention to the IPSec settings, especially the renewal times.

    Sometimes the simplest things that we overlook is what gives us the most grief.

    Darkk



  • I have been able to create IPSec tunnels to several different Sonicwall units.  It is a bit of a problem when they drop if they do, I either have to disable the ipsec and reenable it to get it to reconnect or I have to stop the vpn on the sonicwalls and let them reconnect a few minutes later.  They will eventually come back on their own but it's usually a few hours.

    Andy



  • Yes this is the same problem I have.  I will end up probably just buying Linksys RV042 and installing them at each customer site for VPN tunnels back to the Cisco VPN Concentrator rather than using a pfSense since the tunnels are not reliable enough to fix thenselves without human intervention.



  • Like I said in my previous post that snapshot is working fine for me.  Even when I rebooted The Sonicwall the remote PfSense site was able to re-conect via IPSec with no problems.  It's been solid ever since I've installed it.

    So could be some settings that is not working right.



  • I had the pfsense ipsec VPN working flawlessly to my 3000 series cisco at my previous job.  It was, however, a bit of a bear to make it work on the Cisco side.  It is certainly doable, as I said, mine was rock solid but the cisco config side wasn't exactly straightforward.

    nb


Locked