IPSec Phase 2 - "Automatically ping host" not working?
-
Hi,
in the 2.4.x series i could see ping packets (counted) in the IPSec Status overview. With 2.5.2 RC I don't see the counter for the phase two of pakets increasing... Does the "Automatically ping host" feature not work any more?
If its so, we have a problem, because for one tunnel we have to initiate the tunnel to the remote site, so they can send us data...
Any ideas how to look into it? What processes should be running etc. ?
kind regards
-
found the minicron job for the pings, seems to be executed only all 4 minutes (240 sec), which explains why the counter is not going up all the time...
this also explains why the p2s are coming up one after another...
is there a reason why this is all solved as it is?
-
It's not ideal but to do it more often generally isn't desirable for a number of reasons (people with metered lines, periodic pings add up).
There is a new P1 option for Child SA Start Action which you can set to Initiate at start, and then in the Child SA Close Action you can set Restart/Reconnect. At that point from your side it should always initiate the P2 and keep it going.
-
Top, this will help!
Another thing I just recognized, I have double p2s under the IPSec Status, with negative Rekey value:
Rekey: -107 seconds (-)
Life: 366 seconds (00:06:06)
Install: 3234 seconds (00:53:54)Is this okay?
-
Now I even have two p2s for the same local subnet with both having only postive values... I think i have never seen this under 2.4.x...
-
You may need to change your lifetime values to make sure both sides are not attempting to renegotiate at the same time.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/ipsec-duplicate-sa.html
-
Thanks for the hint!
But is there a problem with 2.5 Peer B example:
"Reauth Time
Blank (disabled) to disable reauthentication.If the peer requires IKEv1 or only supports IKEv2 reauthentication, set this as mentioned in Rekey Time above and also enable Make Before Break on the Advanced Settings tab."
Blank means 90% Life Time. Not disabled. What is right "0" to disable or the 90% Life Time on Peer B ???
-
The GUI behavior changed slightly since that doc was made, so follow what it says in the GUI for the version you are running.
-
@jimp said in IPSec Phase 2 - "Automatically ping host" not working?:
It's not ideal but to do it more often generally isn't desirable for a number of reasons (people with metered lines, periodic pings add up).
There is a new P1 option for Child SA Start Action which you can set to Initiate at start, and then in the Child SA Close Action you can set Restart/Reconnect. At that point from your side it should always initiate the P2 and keep it going.
Hi,
we have a primery and secoundary node. After these settings, it seems that the secoundary tries to do something when it is not Carp Master... Or am I mistaken... I could not find the logs again...
The IPSec is running on a Gateway Group with VIP Adresses. Up to now, (I thought) IPSec did only something when it is Master. So are these settings really safe to use, with primary / secoundary and Gateway Groups with VIP ?
-
we have a primery and secoundary node. After these settings, it seems that the secoundary tries to do something when it is not Carp Master... Or am I mistaken... I could not find the logs again...
"Initiate at start" would not be compatible with an HA setup. In that case you'd probably want to force the HA side to be responder only.
There is an issue open which may help here, the changes in https://redmine.pfsense.org/issues/12075 coming in the next release will automatically set the node in CARP BACKUP status to responder only no matter what the GUI is set to, which will work around that. When the CARP VIP transitions it will get switched back.