Racoon makes me sad, this tunnel will not stay up!
-
I'm game for trying a different configuration if mine looks questionable.
-
Why are you using mobile tunnels? Are site A and site B dynamic IP?
If they are dynamic IP, they will need a different identifier, such as "sitea@example.com" and "siteb@example.com" and PSKs to match.
You'd probably be better off with static tunnels built between each site and using dyndns hostnames for the peer addresses if you have dynamic IPs.
-
I read in the documentation that if one IP is dynamic then Mobile clients had to be enabled. I will try disabling it.
Both sites use Time Warner as an ISP. There is only one hop in between the sites and ping times over the tunnel (when working) are an average of 18 ms.
Site A has a static IP address, and Site B has a dynamic address but it only changes when the modem sees a different mac being used. It hasn't changed in months. I doubt it will change any time soon either, once before i kept the same ip address under a dynamic account from them for over a year! lol. But my question has always been when configuring PFsense is does it matter that site b has a dynamic ip address even though it doesn't change?
-
ehhh :( I tried disabling it to no avail. Same problem. The logs look the same. :-\
-
Is one of the ends actually a private IP on WAN?
The logs you pasted show a phase 1 timeout, which either means a setting mismatch, which isn't the case based on your screenshots, or traffic not actually getting to the remote end. I suspect some other firewall is blocking that traffic before it gets to you.
-
nope no private ip on wan. I did a find all/replace all in macromedia before i posted. site a is static on wan, and site b is dynamic on wan, but that ip never changes. There are no other firewalls before the pfsense boxes, so if traffic is being blocked before racoon can handle it pfsense must be the culprit? Time warner doesn't block any ports or protocols specific to my application scenarios. Could i post any other information to aid in resolution?
-
Sooo, would reinstalling pfsense and starting from scratch be my best bet?
-
I tried reinstalling pfsense and it was to no avail! The tunnel would NOT STAY UP! I used 1.2.3 - RC1 iso, same install that i used for months and had a stable IPSEC site to site VPN. Can somebody please answer me this, is it possible that the hardware combination of both pfsense boxes could be the culprit? I'm using two old power spec boxes (micro center pcs) for pfsense. All four nics are different, and each machine contains a different processor. So is it possible that this could be a reason why the tunnel wont stay up? I'm out of ideas… should i assemble two brand new pfsense boxes with the same exact hardware configurations? I really need some help on this issue. I am more then willing to donate to FreeBSD if i can get my issue corrected. I am not in the position to spend XXX dollars on support because of lack of budget, so any help on this issue would be greatly appreciated. Site to site IPSEC VPN tunnels are not very user friendly from what i can see.... ???
- Luke
Fred's Appliance, LLC
www.fredsappliance.com
LRepko@fredsappliance.com
- Luke
-
I had similar issues with tunnels between 2 pfsense boxes not staying up. I'm running 1.2.2, so not sure how much of this is applicable. It seemed like to get the tunnels up I would just randomly restart and disable/reenable tunnels until they worked. Finally though I found something that seem to work every time. 1) Disabled both ends of the tunnel 2) setkey -FP on both ends of the tunnel 3) restarted both racoons 4) Reenabled the tunnels. Not sure if this will help or not. The way I finally fixed my tunnel stability issue was to change the lifetime to about 10 days for both phase 1 and phase 2, making sure not to set them to the same thing. I have no idea why this fixed the problem, but it did. Not sure if any of this will help you or not.
-
My IPSEC tunnels have always connected, but sometimes wouldn't reconnect. I switched to RC3 and a lot of this was fixed. The only tunnel I have problems with is one over a wireless connection.
If your tunnels are establishing, but no data passing, be sure to double-check your firewall to make sure there are IPSEC rules to allow it. I forgot to do this after replacing a pfsense router, and it caused me grief.
