IPSec Tunnel Drops?



  • I've been looking into replacing our horrible Watchgaurd and Linksys equipment with something better.  So I have been testing a pfSense setup in VMWare.  Its setup to mock our current network structure.

    The head office has a static IP dsl line.  Our remote offices all have Dynamic IP, PPPoE DSL lines.  (head office has the watchgaurd, remotes have linksys boxes)

    I followed the tutorial for setting up tunnels with one end of them dynamic.  Everything seems to work fine, however….

    Despite setting the keep-alive value to the head office pfSense IP, the tunnel still goes down if there is no traffic for over a minute.  When the keep-alive ping interval is reached (5 mins?), the tunnel is brought back up to send the ping, only to go back down a minute later if no traffic.

    I would prefer if the tunnel would just stay up all the time and never go down, even if there is no traffic.  The delay in bringing up the tunnel causes problems with the application we use over the VPN.  Is there anyway to do this?

    Another problem we run into is our current hardware doesn't re-negotiate the connection when the IP address changes.  We have gotten around this somewhat by setting the key life-times to the same length as the ISP's DHCP lease time.  Even then will still have to manually re-negotiate the connection sometimes.  A lot of VPN hardware we have tried has this same problem!  Does pfSense have the same issue?



  • Set up your main office to use main mode. Set your remote offices with the PPPoE DSL to aggressive mode. Set up the keep alive on the remote offices. Set whatever is doing the PPPoE to never time out. This should help, but may not completely fix it. I've had to set up a continuous ping across the VPN from inside the PPPoE DSL to keep IPSEC VPNs up. The real fix is to get static IP's with no PPPoE. I've also had problems with residential routers such as the Linksys, not re-attaching to the PPPoE when the ISP drops it after only around a minute of inactivity.



  • Your lifetimes are too short (shorter than the time between keepalive pings). I have this setup with several dynamic ends connecting to a mainoffice without issues. Also reestablishing after IP-change of an dynamic end is no problem. This setup is running for about 3-4 month now without issues. Try to set the "preferl odl ipsec-sa" at system advanced and raise your lifetimes.



  • I currently have the key lifetimes set at 3600 seconds (1 hour) on both pfSense VM's…  Even so, it still drops the VPN connection after a minute without activity.  Even with Keep-Alive set to ping the main office pfSense.  The VPN will come up to send the "keep-alive" ping and then go back down 60 seconds later unless there is some other activity.  60 seconds after activity stops, so does the VPN.

    Currently the only way I see around that is to have something on the dynamic end ping the static pfSense about every 30 seconds!!

    All I want it to do is stop dropping the tunnel completely.  Traffic or not it should stay up as long as the ISP isn't down.

    Our current Watchguard and Linksys hardware have a Keep Alive option, and with it enabled the only time the connection ever drops by itself is when the key lifetimes run out, it is immediately re-established traffic or not.  Of course I still have the problem with the tunnel NOT fixing itself when the IP address lease runs out.

    @hoba:

    Your lifetimes are too short (shorter than the time between keepalive pings). I have this setup with several dynamic ends connecting to a mainoffice without issues. Also reestablishing after IP-change of an dynamic end is no problem. This setup is running for about 3-4 month now without issues. Try to set the "preferl odl ipsec-sa" at system advanced and raise your lifetimes.



  • Works fine for me. I would blame the problem on running in vmware maybe. I actually have configured a multi site (9 sites with dynamic IPs) to headoffice (static IP) setup today where all sites are connected through the mainoffice (traffic from site a to site b runs through the tunnels via mainoffice; site a and b don't share a tunnel). While I set up this the LANs of the firewalls were not connected but the tunnels were established automatically and stayed up. I even rebooted the mainoffice and the other machines dropped in in a few minutes. After 5 minutes the last machine joined again and everything was up and stayed up. I also have a similiar setup running since month where I have running voip through the tunnels. No issues. Please try this with some real machines.


Locked