IPsec renewal



  • Since the problem with the issue with the ipsec renewal not always happening correctly and throwing up the quick mode error it seams as though when I have a draytek router connecting to the firewall on key regen there becomes a problem were data doesn't seem to go between the two systems. Once the tunnel has been droped and recreated it works again. this is normaly after 36hr's.

    I am going to run some more tests but I thought I would report this.


  • Rebel Alliance Developer Netgate

    What version exactly?

    If you have 1.2.3-RC3 as of the past few days, that should work. It works fine for me. I watched a tunnel drop and reestablish a few times today actually due to some Verizon routing issues.



  • Mine is 1.2.3-RC3 14/09 so I will run another update and test.



  • I have updated the firewall to the build on the 24th and with the Draytek routers on tunnel rebuild after a drop I only get data comming from the Draytek and not back from the PFsense box.

    Before the update I got the quick mode errors. I can see multiple SAD rules for the same tunnel so not sure here what the problem is.

    Just as a note I do get in the logs

    racoon: INFO: unsupported PF_KEY message REGISTER

    After droping the tunnel for about 3 mins it works again and I have the DPD Interval set to 120. Should I reduce this?


  • Rebel Alliance Developer Netgate

    You may want to set that much lower, something more like 20 or 30 seconds, and then test it again.



  • I have set it to 20 so we will have to see what happens. Out of interest though does it detect 1 way communication?



  • One of our developers has 400 Drayteks connected to pfSense via IPsec, using the same ipsec-tools as is in all the snapshots you have, and they work fine so it's definitely not an issue there. Sounds like maybe you have a lifetime mismatch, or DPD not enabled on both sides, or some other config issue.



  • Life times are the same I always make sure of this. I am not sure what the DPD intervals are on the Drayteks but this never used to be a problem till 1.2.3 although on 1.2 the tunnels didn't rebuild at all.



  • Sweet setting the DPD to 20 seems to of fixed it so I will let you know if the problem comes back. Thanks



  • Shamfully it hasn't fix it I have niced loads of tunnels for the same thing though.

    87.83.24.114  86.54.251.XX  ESP  d122cb5e  aes-cbc  hmac-sha1 
    87.83.24.114 86.54.251.XX ESP d122cb58 aes-cbc hmac-sha1
    86.54.251.XX1 87.83.24.XX ESP 0e42e5f2 aes-cbc hmac-sha1
    86.54.251.XX1 87.83.24.XX ESP 019b2195 aes-cbc hmac-sha1
    86.54.251.XX1 87.83.24.XX ESP 05f7e2e1 aes-cbc hmac-sha1
    86.54.251.XX1 87.83.24.XX ESP 016d002b aes-cbc hmac-sha1
    86.54.251.XX1 87.83.24.XX ESP 0dcfda6a aes-cbc hmac-sha1
    86.54.251.XX1 87.83.24.XX ESP 0295d20c aes-cbc hmac-sha1
    86.54.251.XX 87.83.24.XX ESP  0b619838  aes-cbc  hmac-sha1


Log in to reply