Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec site to site dropping every 49-55 minutes

    Scheduled Pinned Locked Moved IPsec
    44 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @TheStormsOfFury
      last edited by

      @TheStormsOfFury

      I went through your logs and nothing is sticking out. Do you have other IPsec tunnels? If so are they having the same problems?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      T 1 Reply Last reply Reply Quote 0
      • T
        TheStormsOfFury @michmoor
        last edited by

        @michmoor This is the only tunnel we have lol.

        I had considered wireguard but i undersand that it is not dependable, but then again at this point neither is IPsec; however, i understand it's worse.

        We switched from openvpn to ipsec becuase we're just not getting the speeds needed across the tunnel, and from what i understand that is becuase the version of openvpn on pfSense is only single threaded and it cannot handle higher speeds above 100-200Mbps and we have 1000Mbps synchronous uplinks at both locations.

        What is your thought on the comparison between ipsec vs wireguard vs openvpn?

        Thanks again!

        TSoF

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @TheStormsOfFury
          last edited by

          @TheStormsOfFury said in IPsec site to site dropping every 49-55 minutes:

          What is your thought on the comparison between ipsec vs wireguard vs openvpn?

          I use Netgate appliances not white box so from a hardware support perspective our experiences will be different.
          For example, I have options to use AES-NI, QAT or Ipsec-MB for cryptographic acceleration or DCO for OpenVPN. I dont have throughput limitations by hardware.

          From experience, i have had no issues with Wireguard. The only caveat is that in a High Availability set up its not as seamless as IPsec. You can read about it here

          If i had to choose, i would go with Wireguard.

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          T 1 Reply Last reply Reply Quote 0
          • T
            TheStormsOfFury @michmoor
            last edited by

            @michmoor I would love to give your reply a thumbs up, but apparently you have to have 5 something, and no clue on how to get that.

            Anyway, I'm going to look at wireguard; however, i upped my p1 timeout, rekey, and expiry times to 7 days then 10 under for rekey and 2 under for expiry and i've gone ahead and upped the p2 to 1 day and rekey at 5 minutes under.

            That was at 13:44 and we are now at 16:17 and we haven't had a drop yet.

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.