IPSec tunnels crashing, unable to see status 2.5.2
-
Hey,
Our deployment consists of multiple sites, with ipsec tunnels between.
Today, when I got back to work one of the tunnels had crashed, and I am unable to start it again. It seems to have crashed other of the IPsec tunnels that we have, and even when I disable the tunnel, it keeps generating log entries!
The log entries:
Nov 29 13:13:22 pfsense charon[68819]: 03[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {8}
Nov 29 13:13:22 pfsense charon[68819]: 03[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {8}
Nov 29 13:13:28 pfsense charon[68819]: 03[KNL] creating acquire job for policy x.x.x.x/32|/0 === y.y.y.y/32|/0 with reqid {8}So, when disabling tunnel to y.y.y.y on x.x.x.x, these log entries still keep coming up...
Config is:
P1
IKEv1
Mutual PSK
Neg mode: Aggressive
Encryption Algorithm: AES 256 bit SHA1 DH 14(2048 Bit)
NAT traversal: Auto
13 P2sI am also unable to load the status in IPSec, its stuck in "Collecting IPsec status information.".
After an restart of the machine, the other tunnels that crashed due to this worked for a little while. -
There are numerous problems with IPsec status on 2.5.2 which have already been fixed on 2.6.0, including issues displaying tunnel status and starting/stopping specific tunnels.
-
Thanks for the response. Is there any fixes that I can apply for the moment? We're experiencing problems due to this issue.
-
No, the changes were too drastic to patch in bit by bit.
There would be less risk in upgrading to a 2.6.0 snapshot at the moment than you'd have trying to backport the code changes. 2.6.0 is pretty stable at the moment.
-
Hey,
This issue is now solved.
What we did was:- Re-install pfsense on y.y.y.y
- Restore configuration on y.y.y.y
- Change protocols from IKEv1 to IKEv2 and P1 Hash from SHA1 to SHA256 on x.x.x.x and y.y.y.y
- Change Child SA Close Action from Default to Restart/Reconnect on x.x.x.x and y.y.y.y
- Changed NAT Traversal from Force to Auto on y.y.y.y (Was already set to Auto on x.x.x.x)
- Enabled Dead Peer Detection on both x.x.x.x and y.y.y.y
See my previous post, from the logs, to determine which host is x.x.x.x and y.y.y.y
-
Also this:
- Disabled "MOBIKE" on y.y.y.y (This feature was only enabled on y.y.y.y)