4. IPSec stops working after IP Change on one Site

IPSec stops working after IP Change on one Site

  • D

    Hello forum,

    after googling my ass off and browsing/searching the pfsense forums/lists for hours i decided to post and hope to get some help with my IPSec Problem.

    Setup:

    Site A:

    PFSense 1.2.3-RELEASE
    WAN IP: dynamic with DYNDNS
    LAN IP: 192.168.88.254
    LAN NET: 192.168.88.0/24

    
−
 <ipsec><preferredoldsa><enable>−
 <tunnel><interface>wan</interface>
−
 <local-subnet><network>lan</network></local-subnet> 
<remote-subnet>192.168.88.0/24</remote-subnet>
<remote-gateway>home.XXXXXXXX.net</remote-gateway>
 <dpddelay>−
 <p1><mode>aggressive</mode>
−
 <myident><fqdn>office.XXXXXXX.net</fqdn></myident> 
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>1200</lifetime>
<pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
−
 <p2><protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>1200</lifetime></p2> 
<descr>Site A <---> Site B</descr>
<pinghost>192.168.88.254</pinghost></dpddelay></tunnel> 
 <preferoldsa></preferoldsa></enable></preferredoldsa></ipsec> 

    
 <rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
−
<source>
<network>lan</network>

−
 <destination><any></any></destination></rule> 
−
 <rule><type>pass</type>
<interface>enc0</interface>
 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
 <os>−
<source>
 <any>−
 <destination><any></any></destination> 
 <log><descr>any to any over ipsec</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

    Site B:

    m0n0wall 1.31
    WAN IP: fixed
    LAN IP: 192.168.77.254
    LAN NET: 192.168.77.0/24

     <tunnel><dpddelay><interface>wan</interface>
−
 <local-subnet><network>lan</network></local-subnet> 
<remote-subnet>192.168.77.0/24</remote-subnet>
<remote-gateway>office.XXXXXX.net</remote-gateway>
−
 <p1><mode>aggressive</mode>
−
 <myident><fqdn>home.XXXXXXXX.net</fqdn></myident> 
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>1200</lifetime>
<pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
−
 <p2><protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>1200</lifetime></p2> 
<descr>Site A <---> Site B</descr></dpddelay></tunnel> 


     <rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
−
<source>
<network>lan</network>

−
 <destination><any></any></destination></rule> 
−
 <rule><type>pass</type>
<interface>ipsec</interface>
−
<source>
 <any>−
 <destination><any></any></destination> 
<descr>Default IPsec VPN</descr></any></rule>

    The Tunnel is working after a fresh boot of the pfsense box. But only until the ISP changes the IP. After that happened the tunnel is beeing reestatblished but no traffic pass through

    Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP dynamicip[0]->fixedip[0] spi=215560106(0xcd92faa)
Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP fixedip[0]->dynamicip[0] spi=66683697(0x3f98331)
Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: respond new phase 2 negotiation: dynamicip[0]<=>fixedip[0]
Apr 8 09:36:21 	racoon: [Site A <---> Site B]: INFO: ISAKMP-SA established dynamicip[500]-fixedip[500] spi:3e445b608827e73a:db4ceec3507b2aee

    I have to reboot the PFSENSE Box to get the tunnel working again.

    [root@fw01.waedtgmbh.local]/root(1): ping 192.168.88.254
PING 192.168.88.254 (192.168.88.254): 56 data bytes
36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  20 5400 4cc3   0 0000  3f  01 33be 85.181.139.172  192.168.88.254

36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  20 5400 8a4b   0 0000  3f  01 f635 85.181.139.172  192.168.88.254

    This is the ping output from the pfsense ssh shell. i tried to ping the lan ip of the remote gateway and it seems that pfsense ist routing this traffic to its default gateway , which is in my case hansenet.

    any help woul be really really apreciated. rebooting the pfsense box once a day is not so funny.

    regards
    martin

    0
  • R

    switch to site-site OpenVPN and I think you will see your VPN problems disappear.   I love IPSec but I haven't found it to be reliable unless both ends have a static IP.  site-site OpenVPN has been rock solid with one end static and the other end dynamic.

    Roy…

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy