P2s flip-flopping and going stale
-
I have what I think is a relatively simple setup:
- pfSense firewall onsite <--> Linode VM
- The IPsec tunnel has three P2s, one for the LAN bridge, and two for VLANs; these are meant to be accessible from the Linode VM
The symptom I have experienced off and on for many months is that my webservers, on the GENERAL subnet, will become unreachable. When I investigate, I find the IPsec tunnel connected and looking normal. But I can't ping the VLAN gateway from the Linode VM.
Last night and again this morning, I noticed a few new clues:
- When I can't ping one gateway, I can always ping the other two VLAN gateways.
- When a gateway automatically re-installs, it is able to ping and one of the others is not.
- When I disconnect a P2 manually that I was able to ping across, the other one that I was not able to ping across is immediately fixed.
Also, the symptoms are always cleared up temporarily whenever I disconnect/reconnect P1 or when I reboot the firewall.
Figure 1: The GEN_VLAN gateway is unreachable from the Linode VM
Figure 2: I disconnect the GAM_VLAN P2 and now the GEN_VLAN gateway is reachable
Figure 3: I reconnect the GAM_VLAN P2 and all three are still reachable
Here are my basic settings for P1:
Here are my basic settings for all the P2s with the only change being the Life Time value:
- Life Time for the P2s are 3600, 3800, and 4000
And here is my /etc/ipsec.conf on the Linode VM:
Any ideas? I've tried quite a few different things already, too many to list really, and all "shots in the dark" based on a mix of Internet research and limited knowledge.
