Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec site A <> DC <> site B only works if traffic is initiated from site B, then both directions work until no traffic for 5-10 seconds

    Scheduled Pinned Locked Moved
    IPsec
    1
    1
    134
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nicholfd
      last edited by

      We're trying to add site A <-> site B connectivity via the DC in the middle (and eventually equivalent for other sites.)

      pfSense                pfSense               Juniper
192.168.24.82 (24)    10.132.0.0 (16)     192.168.40.13 (22) 
Site A <-----IPsec-----> DC <-----IPsec-----> Site B
                         |
                         |
                   OpenVPN Clients
                   10.130.0.0 (16)
      • Ping/server access from OpenVPN -> site B/server & site A client - WORKS, no delays or issues
      • Ping/server access from site A/client -> site B/server - FAILS, but packet capture shows ping coming in via IPsec on DC pfSense, just no replies from site B/server (captured site A & site B packets by IP address with "OR" in the capture
      • Ping from site B/server to site A client WORKS, no delays or issues
      • IF a ping from site B/server to site A/client is started/running, site A/client CAN reach/ping Site B/server. If both pings are stopped, 5-10 seconds later, the site A/client can no longer reach site B/server. If ping from site B server to site a client is stopped, as long as data/ping continues to come from site A/client to site B/server, the link seems to "stay up".

      There are several phase 2 entries on both the IPsec connects from site A & site B <-> DC, primarily for access do subnets at the DC (including OpenVPN) that have been working well for years. Additional phase 2 entries were appropriately (I think correctly) added at all three locations.

      I've reviewed the IPsec configuration on the DC pfSense & site B pfSense. Juniper is command line & "owned" by another support person. I've looked at the Juniper config dump, and based on the old, working IPsec Phase 2 entries, looking at the new entry for site to site connectivity "looks" right.

      Any ideas what I'm missing or should be looking for?

      Thanks,
      Frank

      1 Reply Last reply Reply Quote 0
      • First post
        Last post