After upgrading to 21.02 IPsec pfSense to SonicWall won't stay connected

jwrb18

After upgrading to 21.02 on a SG-5100 I have one IPsec VPN (pfSense to SoniciWall) that connects, I can ping across it to any device, but when I try to do anything else across it the connection times out. For a short period of time I am able to access files or directories. On both sides it shows the VPN connection is still up, but nothing can be passed until I disconnect either side and wait for it to re-establish and then I can ping again, but the same thing happens if I try reach anything else across that VPN. I have 2 other IPsec Site to Site connections (pfSense to pfSense) up and working as normal before and after the upgrade. I have changed settings on the VPN, completely removed it from both sides and still getting the same result.

swanctl --list-conns

[21.02-RELEASE][admin@pfSense.coneng]/root: swanctl --list-conns
bypass: IKEv1/2, no reauthentication, rekeying every 14400s
  local:  %any
  remote: 127.0.0.1
  local unspecified authentication:
  remote unspecified authentication:
  bypasslan: PASS, no rekeying
    local:  192.168.7.0/24|/0
    remote: 192.168.7.0/24|/0
con2000: IKEv2, no reauthentication, rekeying every 25920s, dpd delay 10s
  local:  216.xxx.xxx.226
  remote: 208.xxx.xxx.xxx
  local pre-shared key authentication:
    id: 216.xxx.xxx.226
  remote pre-shared key authentication:
    id: 208.xxx.xxx.xxx
  con2000: TUNNEL, rekeying every 3240s, dpd action is hold
    local:  192.168.7.0/24|/0
    remote: 192.168.18.0/24|/0
con3000: IKEv2, no reauthentication, rekeying every 25920s, dpd delay 10s
  local:  216.xxx.xxx.226
  remote: 216.xxx.xxx.227
  local pre-shared key authentication:
    id: 216.xxx.xxx.226
  remote pre-shared key authentication:
    id: 216.xxx.xxx.227
  con3000: TUNNEL, rekeying every 3240s, dpd action is hold
    local:  192.168.7.0/24|/0
    remote: 192.168.5.0/24|/0
con1000: IKEv2, no reauthentication, rekeying every 25920s, dpd delay 10s
  local:  216.xxx.xxx.226
  remote: 216.xxx.xxx.149
  local pre-shared key authentication:
    id: 216.xxx.xxx.226
  remote pre-shared key authentication:
    id: 216.xxx.xxx.149
  con1000: TUNNEL, rekeying every 25920s, dpd action is hold
    local:  192.168.7.0/24|/0
    remote: 192.168.11.0/24|/0 192.168.15.0/24|/0

swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1

[21.02-RELEASE][admin@pfSense.coneng]/root: swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1
loaded ike secret 'ike-0'
loaded ike secret 'ike-1'
loaded ike secret 'ike-2'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'bypass'
loaded connection 'con2000'
loaded connection 'con3000'
loaded connection 'con1000'
successfully loaded 4 connections, 0 unloaded

swanctl.conf

# This file is automatically generated. Do not edit
connections {
	bypass {
		remote_addrs = 127.0.0.1
		children {
			bypasslan {
				local_ts = 192.168.7.0/24
				remote_ts = 192.168.7.0/24
				mode = pass
				start_action = trap
			}
		}
	}
	con2000 {
		fragmentation = yes
		unique = replace
		version = 2
		proposals = aes128gcm128-sha256-modp2048
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 25920s
		reauth_time = 0s
		over_time = 2880s
		rand_time = 2880s
		encap = no
		mobike = no
		local_addrs = 216.xxx.xxx.226
		remote_addrs = 208.xxx.xxx.xxx
		pools = 
		local {
			id = 216.xxx.xxx.226
			auth = psk
		}
		remote {
			id = 208.xxx.xxx.xxx
			auth = psk
		}
		children {
			con2000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 3600s
				rekey_time = 3240s
				rand_time = 360s
				start_action = trap
				remote_ts = 192.168.18.0/24
				local_ts = 192.168.7.0/24
				esp_proposals = aes128gcm128-modp2048,aes128gcm96-modp2048,aes128gcm64-modp2048
			}
		}
	}
	con3000 {
		fragmentation = yes
		unique = replace
		version = 2
		proposals = aes128gcm128-sha256-modp2048
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 25920s
		reauth_time = 0s
		over_time = 2880s
		rand_time = 2880s
		encap = no
		mobike = no
		local_addrs = 216.xxx.xxx.226
		remote_addrs = 216.xxx.xxx.227
		pools = 
		local {
			id = 216.xxx.xxx.226
			auth = psk
		}
		remote {
			id = 216.xxx.xxx.227
			auth = psk
		}
		children {
			con3000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 3600s
				rekey_time = 3240s
				rand_time = 360s
				start_action = trap
				remote_ts = 192.168.5.0/24
				local_ts = 192.168.7.0/24
				esp_proposals = aes128gcm128-modp2048,aes128gcm96-modp2048,aes128gcm64-modp2048
			}
		}
	}
	con1000 {
		fragmentation = yes
		unique = replace
		version = 2
		proposals = aes128-sha256-modp2048
		dpd_delay = 10s
		dpd_timeout = 60s
		rekey_time = 25920s
		reauth_time = 0s
		over_time = 2880s
		rand_time = 2880s
		encap = no
		mobike = no
		local_addrs = 216.xxx.xxx.226
		remote_addrs = 216.xxx.xxx.149
		pools = 
		local {
			id = 216.xxx.xxx.226
			auth = psk
		}
		remote {
			id = 216.xxx.xxx.149
			auth = psk
		}
		children {
			con1000 {
				dpd_action = trap
				mode = tunnel
				policies = yes
				life_time = 28800s
				rekey_time = 25920s
				rand_time = 2880s
				start_action = trap
				remote_ts = 192.168.11.0/24,192.168.15.0/24
				local_ts = 192.168.7.0/24,192.168.7.0/24
				esp_proposals = aes128gcm128-modp2048,aes128-sha256-modp2048
			}
		}
	}
}
secrets {
	ike-0 {
		secret = REMOVED
		id-0 = %any
		id-1 = 208.xxx.xxx.xxx
	}
	ike-1 {
		secret = REMOVED
		id-0 = %any
		id-1 = 216.xxx.xxx.227
	}
	ike-2 {
		secret = REMOVED
		id-0 = %any
		id-1 = 216.xxx.xxx.149
	}
}

This is what the pfSense IPsec logs say after the ping times out and I can no longer access anything accross the VPN

Feb 18 10:18:09	charon	75902	10[IKE] <con1000|4> nothing to initiate
Feb 18 10:18:09	charon	75902	10[IKE] <con1000|4> activating new tasks
Feb 18 10:18:09	charon	75902	10[ENC] <con1000|4> parsed INFORMATIONAL response 0 [ ]
Feb 18 10:18:09	charon	75902	10[NET] <con1000|4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (80 bytes)
Feb 18 10:18:09	charon	75902	10[NET] <con1000|4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (80 bytes)
Feb 18 10:18:09	charon	75902	10[ENC] <con1000|4> generating INFORMATIONAL request 0 [ ]
Feb 18 10:18:09	charon	75902	10[IKE] <con1000|4> activating IKE_DPD task
Feb 18 10:18:09	charon	75902	10[IKE] <con1000|4> activating new tasks
Feb 18 10:18:09	charon	75902	10[IKE] <con1000|4> queueing IKE_DPD task
Feb 18 10:18:09	charon	75902	10[IKE] <con1000|4> sending DPD request

Initial Connection Logs

Feb 18 10:12:34	charon	75902	10[NET] <con1000|4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (480 bytes)
Feb 18 10:12:34	charon	75902	10[ENC] <con1000|4> generating CREATE_CHILD_SA response 2 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> CHILD_SA con1000{9} state change: INSTALLING => INSTALLED
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> CHILD_SA con1000{9} established with SPIs c4bd6a2d_i 3233e6c1_o and TS 192.168.7.0/24|/0 === 192.168.15.0/24|/0
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> SPI 0x3233e6c1, src 216.xxx.xxx.226 dst 216.xxx.xxx.149
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> adding outbound ESP SA
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> SPI 0xc4bd6a2d, src 216.xxx.xxx.149 dst 216.xxx.xxx.226
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> adding inbound ESP SA
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> using HMAC_SHA2_256_128 for integrity
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> using AES_CBC for encryption
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> CHILD_SA con1000{9} state change: CREATED => INSTALLING
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.15.0/24|/0, received: 192.168.15.0/24|/0 => match: 192.168.15.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.11.0/24|/0, received: 192.168.15.0/24|/0 => no match
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting traffic selectors for other:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting traffic selectors for us:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> configured proposals: ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> proposal matches
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting proposal:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> no acceptable ENCRYPTION_ALGORITHM found
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting proposal:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> found matching child config "con1000" with prio 10
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> candidate "con1000" with prio 5+5
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.15.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.11.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> proposing traffic selectors for other:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> proposing traffic selectors for us:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> looking for a child config for 192.168.7.0/24|/0 === 192.168.15.0/24|/0
Feb 18 10:12:34	charon	75902	10[ENC] <con1000|4> parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Feb 18 10:12:34	charon	75902	10[NET] <con1000|4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (464 bytes)
Feb 18 10:12:34	charon	75902	10[NET] <con1000|4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (224 bytes)
Feb 18 10:12:34	charon	75902	10[ENC] <con1000|4> generating IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> CHILD_SA con1000{8} state change: INSTALLING => INSTALLED
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> CHILD_SA con1000{8} established with SPIs c80a60e4_i 7e6a6686_o and TS 192.168.7.0/24|/0 === 192.168.11.0/24|/0
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> SPI 0x7e6a6686, src 216.xxx.xxx.226 dst 216.xxx.xxx.149
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> adding outbound ESP SA
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> SPI 0xc80a60e4, src 216.xxx.xxx.149 dst 216.xxx.xxx.226
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> adding inbound ESP SA
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> using HMAC_SHA2_256_128 for integrity
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> using AES_CBC for encryption
Feb 18 10:12:34	charon	75902	10[CHD] <con1000|4> CHILD_SA con1000{8} state change: CREATED => INSTALLING
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.15.0/24|/0, received: 192.168.11.0/24|/0 => no match
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.11.0/24|/0, received: 192.168.11.0/24|/0 => match: 192.168.11.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting traffic selectors for other:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> config: 192.168.7.0/24|/0, received: 192.168.7.0/24|/0 => match: 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting traffic selectors for us:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> configured proposals: ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> proposal matches
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting proposal:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> no acceptable ENCRYPTION_ALGORITHM found
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selecting proposal:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> found matching child config "con1000" with prio 10
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> candidate "con1000" with prio 5+5
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.15.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.11.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> proposing traffic selectors for other:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> 192.168.7.0/24|/0
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> proposing traffic selectors for us:
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> looking for a child config for 192.168.7.0/24|/0 === 192.168.11.0/24|/0
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> maximum IKE_SA lifetime 28555s
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> scheduling rekeying in 25675s
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> IKE_SA con1000[4] state change: CONNECTING => ESTABLISHED
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> IKE_SA con1000[4] established between 216.xxx.xxx.226[216.xxx.xxx.226]...216.xxx.xxx.149[216.xxx.xxx.149]
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> successfully created shared key MAC
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> authentication of '216.xxx.xxx.226' (myself) with pre-shared key
Feb 18 10:12:34	charon	75902	10[IKE] <con1000|4> authentication of '216.xxx.xxx.149' with pre-shared key successful
Feb 18 10:12:34	charon	75902	10[CFG] <con1000|4> selected peer config 'con1000'
Feb 18 10:12:34	charon	75902	10[CFG] <4> candidate "con1000", match: 1/20/3100 (me/other/ike)
Feb 18 10:12:34	charon	75902	10[CFG] <4> looking for peer configs matching 216.xxx.xxx.226[%any]...216.xxx.xxx.149[216.xxx.xxx.149]
Feb 18 10:12:34	charon	75902	10[IKE] <4> received 1 cert requests for an unknown ca
Feb 18 10:12:34	charon	75902	10[IKE] <4> received cert request for unknown ca with keyid ba:2e:b5:a8:3e:13:23:d9:53:4b:5e:65:bc:e7:a3:13:5d:d0:a9:96
Feb 18 10:12:34	charon	75902	10[ENC] <4> parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr ]
Feb 18 10:12:34	charon	75902	10[NET] <4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (240 bytes)
Feb 18 10:12:34	charon	75902	10[NET] <4> sending packet: from 216.xxx.xxx.226[500] to 216.xxx.xxx.149[500] (448 bytes)
Feb 18 10:12:34	charon	75902	10[ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Feb 18 10:12:34	charon	75902	10[CFG] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Feb 18 10:12:34	charon	75902	10[CFG] <4> configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Feb 18 10:12:34	charon	75902	10[CFG] <4> received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Feb 18 10:12:34	charon	75902	10[CFG] <4> proposal matches
Feb 18 10:12:34	charon	75902	10[CFG] <4> selecting proposal:
Feb 18 10:12:34	charon	75902	10[IKE] <4> IKE_SA (unnamed)[4] state change: CREATED => CONNECTING
Feb 18 10:12:34	charon	75902	10[IKE] <4> 216.xxx.xxx.149 is initiating an IKE_SA
Feb 18 10:12:34	charon	75902	10[ENC] <4> received unknown vendor ID: 2a:67:75:d0:ad:2a:a7:88:7c:33:fe:1d:68:ba:f3:08:96:6f:00:01
Feb 18 10:12:34	charon	75902	10[CFG] <4> found matching ike config: 216.xxx.xxx.226...216.xxx.xxx.149 with prio 3100
Feb 18 10:12:34	charon	75902	10[CFG] <4> candidate: 216.xxx.xxx.226...216.xxx.xxx.149, prio 3100
Feb 18 10:12:34	charon	75902	10[CFG] <4> looking for an IKEv2 config for 216.xxx.xxx.226...216.xxx.xxx.149
Feb 18 10:12:34	charon	75902	10[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V ]
Feb 18 10:12:34	charon	75902	10[NET] <4> received packet: from 216.xxx.xxx.149[500] to 216.xxx.xxx.226[500] (444 bytes)

Let me know if you see anything I can change. Thanks

jimp

Usually that kind of symptom means you have some kind of MTU/MSS problem, where it's fragmenting larger packets and failing for various reasons.

I don't know why that would be different for you on 21.02 but you could check your interface MTUs and also setup MSS clamping to a sufficiently low value (e.g. 1400)

jwrb18

@jimp Thanks for the suggestion. I will check that out.

MMapplebeck

@jwrb18 Any update on this? I am experiencing the same problem, and am scratching my head on it, as all my tunnels worked perfectly prior to the update. Was 1400 sufficient to help?

I know I mentioned it in my other post, but, thanks to @jimp for the script to fix the tunnel IDs, things seem to run a lot smoother aside from this instability on my P2.

currentUsername

It's a nightmare ... Apparently the tunnel is established and remote resources are available to browse shared directories. After a few moments the ping no longer reaches the servers, explorer freezes, application crashes. I use Windows native VPN, IKE v2, integration with Pfsense like EAP-RADIUS. Until the Pfsense update everything was fine.

heebtob

I have exactly the same problem with my pfsense after upgrading to 21.02.
I have a site2site ipsec to a cisco appliance which worked for over a year without problems.
But since the upgrade it says that it's connected but I can only work for about 1 min then everything stops working.
Pings are not possible after that.
After a disconnect/connect it works again for about 1 min.
Really annoying because I didn't change anything in the config for months.

MMapplebeck

Same issue here, not just to SonicWalls, it's happening to ASAs, Meraki, Juniper, WatchGuard.

pattech

Same issue with Azure Site-to-site (IPsec)

jimp

Have any of you tried my suggestion of enabling MSS clamping?

• VPN > IPsec, Advanced Settings
• Check Enable Maximum MSS
• Enter a value of 1400 in Maximum MSS

I'm not aware of anything specific that changed in FreeBSD or strongSwan with regard to IPsec packet fragmentation, but all the symptoms line up.

MMapplebeck

@jimp

I have tried the following, all with no success:

• My MSS clamping is set to 1400
• Hardware crypto disabled
• Pulled ALL config out and manually re-entered everything
• I have tunnels terminating on a variety of vendor devices, not just SonicWall, there are Meraki MX units, WatchGuard, Cisco ASA, Juniper. I also have a set of 3 SG-1100 that their IPSec tunnels exploded, I just moved them to S2S WireGuard
• More details here: https://forum.netgate.com/topic/161109/ipsec-p2-stability-problems-with-20-02/

jimp

When looking into all this, first apply all of the current IPsec changes:

• ead6515637a34ce6e170e2d2b0802e4fa1e63a00 #11435
• 57beb9ad8ca11703778fc483c7cba0f6770657ac #11435
• 10eb04259fd139c62e08df8de877b71fdd0eedc8 #11442
• ded7970ba57a99767e08243103e55d8a58edfc35 #11486
• afffe759c4fd19fe6b8311196f4b6d5e288ea4fb #11487
• 2fe5cc52bd881ed26723a81e0eed848fd505fba6 #11488

After that, edit/save/apply an IPsec tunnel, then stop and start (not restart) the IPsec daemon, or reboot instead.

odric

@mmapplebeck Hello.
Have you solved the reconnection issue?
I have updated Pfsense to version 2.5.2. I have check and confirm all data from site A to site B. I have reduce the time to reconnected and that aliave some trouble but not fix it. Too I have enable and set MSS to 1400.
Every day one of my tunnels is blocked. It doesn't seem to renegotiate the connection well. After terminate one of the Phase 1 zombie connections, the communication is reset.
Also another tunnel connection fails time to time and I have to disable it for any of the Phase 2 to work again.