Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec stops working after IP Change on one Site

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dude140678
      last edited by

      Hello forum,

      after googling my ass off and browsing/searching the pfsense forums/lists for hours i decided to post and hope to get some help with my IPSec Problem.

      Setup:

      Site A:

      PFSense 1.2.3-RELEASE
      WAN IP: dynamic with DYNDNS
      LAN IP: 192.168.88.254
      LAN NET: 192.168.88.0/24

      
      −
       <ipsec><preferredoldsa><enable>−
       <tunnel><interface>wan</interface>
      −
       <local-subnet><network>lan</network></local-subnet> 
      <remote-subnet>192.168.88.0/24</remote-subnet>
      <remote-gateway>home.XXXXXXXX.net</remote-gateway>
       <dpddelay>−
       <p1><mode>aggressive</mode>
      −
       <myident><fqdn>office.XXXXXXX.net</fqdn></myident> 
      <encryption-algorithm>3des</encryption-algorithm>
      <hash-algorithm>md5</hash-algorithm>
      <dhgroup>2</dhgroup>
      <lifetime>1200</lifetime>
      <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
       <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
      −
       <p2><protocol>esp</protocol>
      <encryption-algorithm-option>3des</encryption-algorithm-option>
      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
      <hash-algorithm-option>hmac_md5</hash-algorithm-option>
      <pfsgroup>2</pfsgroup>
      <lifetime>1200</lifetime></p2> 
      <descr>Site A <---> Site B</descr>
      <pinghost>192.168.88.254</pinghost></dpddelay></tunnel> 
       <preferoldsa></preferoldsa></enable></preferredoldsa></ipsec> 
      
      
       <rule><type>pass</type>
      <descr>Default LAN -> any</descr>
      <interface>lan</interface>
      −
      <source>
      <network>lan</network>
      
      −
       <destination><any></any></destination></rule> 
      −
       <rule><type>pass</type>
      <interface>enc0</interface>
       <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
       <os>−
      <source>
       <any>−
       <destination><any></any></destination> 
       <log><descr>any to any over ipsec</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
      
      

      Site B:

      m0n0wall 1.31
      WAN IP: fixed
      LAN IP: 192.168.77.254
      LAN NET: 192.168.77.0/24

       <tunnel><dpddelay><interface>wan</interface>
      −
       <local-subnet><network>lan</network></local-subnet> 
      <remote-subnet>192.168.77.0/24</remote-subnet>
      <remote-gateway>office.XXXXXX.net</remote-gateway>
      −
       <p1><mode>aggressive</mode>
      −
       <myident><fqdn>home.XXXXXXXX.net</fqdn></myident> 
      <encryption-algorithm>3des</encryption-algorithm>
      <hash-algorithm>md5</hash-algorithm>
      <dhgroup>2</dhgroup>
      <lifetime>1200</lifetime>
      <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
       <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
      −
       <p2><protocol>esp</protocol>
      <encryption-algorithm-option>3des</encryption-algorithm-option>
      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
      <hash-algorithm-option>hmac_md5</hash-algorithm-option>
      <pfsgroup>2</pfsgroup>
      <lifetime>1200</lifetime></p2> 
      <descr>Site A <---> Site B</descr></dpddelay></tunnel> 
      
      
       <rule><type>pass</type>
      <descr>Default LAN -> any</descr>
      <interface>lan</interface>
      −
      <source>
      <network>lan</network>
      
      −
       <destination><any></any></destination></rule> 
      −
       <rule><type>pass</type>
      <interface>ipsec</interface>
      −
      <source>
       <any>−
       <destination><any></any></destination> 
      <descr>Default IPsec VPN</descr></any></rule> 
      

      The Tunnel is working after a fresh boot of the pfsense box. But only until the ISP changes the IP. After that happened the tunnel is beeing reestatblished but no traffic pass through

      Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP dynamicip[0]->fixedip[0] spi=215560106(0xcd92faa)
      Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP fixedip[0]->dynamicip[0] spi=66683697(0x3f98331)
      Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: respond new phase 2 negotiation: dynamicip[0]<=>fixedip[0]
      Apr 8 09:36:21 	racoon: [Site A <---> Site B]: INFO: ISAKMP-SA established dynamicip[500]-fixedip[500] spi:3e445b608827e73a:db4ceec3507b2aee
      

      I have to reboot the PFSENSE Box to get the tunnel working again.

      [root@fw01.waedtgmbh.local]/root(1): ping 192.168.88.254
      PING 192.168.88.254 (192.168.88.254): 56 data bytes
      36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  20 5400 4cc3   0 0000  3f  01 33be 85.181.139.172  192.168.88.254
      
      36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  20 5400 8a4b   0 0000  3f  01 f635 85.181.139.172  192.168.88.254
      

      This is the ping output from the pfsense ssh shell. i tried to ping the lan ip of the remote gateway and it seems that pfsense ist routing this traffic to its default gateway , which is in my case hansenet.

      any help woul be really really apreciated. rebooting the pfsense box once a day is not so funny.

      regards
      martin

      1 Reply Last reply Reply Quote 0
      • R
        rpsmith
        last edited by

        switch to site-site OpenVPN and I think you will see your VPN problems disappear.   I love IPSec but I haven't found it to be reliable unless both ends have a static IP.  site-site OpenVPN has been rock solid with one end static and the other end dynamic.

        Roy…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.