IPsec renewal
-
Since the problem with the issue with the ipsec renewal not always happening correctly and throwing up the quick mode error it seams as though when I have a draytek router connecting to the firewall on key regen there becomes a problem were data doesn't seem to go between the two systems. Once the tunnel has been droped and recreated it works again. this is normaly after 36hr's.
I am going to run some more tests but I thought I would report this.
-
What version exactly?
If you have 1.2.3-RC3 as of the past few days, that should work. It works fine for me. I watched a tunnel drop and reestablish a few times today actually due to some Verizon routing issues.
-
Mine is 1.2.3-RC3 14/09 so I will run another update and test.
-
I have updated the firewall to the build on the 24th and with the Draytek routers on tunnel rebuild after a drop I only get data comming from the Draytek and not back from the PFsense box.
Before the update I got the quick mode errors. I can see multiple SAD rules for the same tunnel so not sure here what the problem is.
Just as a note I do get in the logs
racoon: INFO: unsupported PF_KEY message REGISTER
After droping the tunnel for about 3 mins it works again and I have the DPD Interval set to 120. Should I reduce this?
-
You may want to set that much lower, something more like 20 or 30 seconds, and then test it again.
-
I have set it to 20 so we will have to see what happens. Out of interest though does it detect 1 way communication?
-
One of our developers has 400 Drayteks connected to pfSense via IPsec, using the same ipsec-tools as is in all the snapshots you have, and they work fine so it's definitely not an issue there. Sounds like maybe you have a lifetime mismatch, or DPD not enabled on both sides, or some other config issue.
-
Life times are the same I always make sure of this. I am not sure what the DPD intervals are on the Drayteks but this never used to be a problem till 1.2.3 although on 1.2 the tunnels didn't rebuild at all.
-
Sweet setting the DPD to 20 seems to of fixed it so I will let you know if the problem comes back. Thanks
-
Shamfully it hasn't fix it I have niced loads of tunnels for the same thing though.
87.83.24.114 86.54.251.XX ESP d122cb5e aes-cbc hmac-sha1
87.83.24.114 86.54.251.XX ESP d122cb58 aes-cbc hmac-sha1
86.54.251.XX1 87.83.24.XX ESP 0e42e5f2 aes-cbc hmac-sha1
86.54.251.XX1 87.83.24.XX ESP 019b2195 aes-cbc hmac-sha1
86.54.251.XX1 87.83.24.XX ESP 05f7e2e1 aes-cbc hmac-sha1
86.54.251.XX1 87.83.24.XX ESP 016d002b aes-cbc hmac-sha1
86.54.251.XX1 87.83.24.XX ESP 0dcfda6a aes-cbc hmac-sha1
86.54.251.XX1 87.83.24.XX ESP 0295d20c aes-cbc hmac-sha1
86.54.251.XX 87.83.24.XX ESP 0b619838 aes-cbc hmac-sha1
