IPsec Keep Alive Confusion

planedrop

Hoping to get some clarity over here, and this really might just be my brain not working right, but I'm not quite understanding how to get keep alive going correctly within PFsense over an IPsec VPN.

I know the Netgate Docs have info on this, but for some reason it's not clicking with me, specifically this last part: "For this feature to work, the firewall must have an IP address assigned inside the Local Network. Otherwise it cannot generate the necessary traffic to bring up the tunnel."

By local network I'm assuming they are meaning the local network of the IPsec VPN Phase 2 connection, as in LAN if it were on a LAN network (and by default most "Local Networks" should have an IP in them that is PFSense)

But it mentions nothing about firewall rules, do rules need to be setup to allow this or is it somehow bypassing those?

I'm not new to firewalls or IPsec, so it's just something about this that is throwing me way off and not quite sure why lol; any help would be greatly appreciated. Just saying it in a different way might work.

jimp

@planedrop said in IPsec Keep Alive Confusion:

By local network I'm assuming they are meaning the local network of the IPsec VPN Phase 2 connection, as in LAN if it were on a LAN network (and by default most "Local Networks" should have an IP in them that is PFSense)

That is correct.

But it mentions nothing about firewall rules, do rules need to be setup to allow this or is it somehow bypassing those?

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/keep-alive.html

It does not have to reply or even exist, simply triggering traffic destined to that network periodically will keep the IPsec connection up and running.

No need for firewall rules because it's internal to the firewall. The far side doesn't have to allow it. All that matters is that a packet from the local P2 network attempts to reach the remote P2 network. Once the kernel sees that packet, the trap policy kicks in and IPsec attempts to initiate.

On the upcoming 22.01 and 2.6.0 release there is a new keep alive option that just checks if it's up/down and initiates if it's down. It's more flexible in that it doesn't require matching networks to be on the firewall, and doesn't rely on trap policies so it can work with both VTI and tunnel mode.

planedrop

@jimp OK cool this helps me out a ton, thank you very much, makes a lot more sense now.

To be clear

No need for firewall rules because it's internal to the firewall. The far side doesn't have to allow it.

By this you mean no local rules either since it's initiated internal on the firewall? I.E. no LAN rule needed to allow the firewalls IP to the IPSec VPN? (I definitely get that the remote doesn't need to have any rules or respond)

I have an IPsec tunnel that seems to be having issues periodically, it always shows as up though and keep alive is enabled and setup correct according to this, so must be something else (it's the only VPN I'm having issues with and we have many so I think it's a config issue on the remote side).

Really appreciate the help here!

jimp

@planedrop said in IPsec Keep Alive Confusion:

By this you mean no local rules either since it's initiated internal on the firewall? I.E. no LAN rule needed to allow the firewalls IP to the IPSec VPN? (I definitely get that the remote doesn't need to have any rules or respond)

Correct

I have an IPsec tunnel that seems to be having issues periodically, it always shows as up though and keep alive is enabled and setup correct according to this, so must be something else (it's the only VPN I'm having issues with and we have many so I think it's a config issue on the remote side).

If it shows as 'up' but doesn't pass traffic then it could be something on the remote, or perhaps DPD isn't working correctly to where it can't detect that it's actually down and needs to renegotiate.

planedrop

@jimp Thanks for the help here, makes a lot more sense now, really appreciate it!! I'm sure keep alive is working then so must be DPD or the endpoint.