IPSec stops working after IP Change on one Site



  • Hello forum,

    after googling my ass off and browsing/searching the pfsense forums/lists for hours i decided to post and hope to get some help with my IPSec Problem.

    Setup:

    Site A:

    PFSense 1.2.3-RELEASE
    WAN IP: dynamic with DYNDNS
    LAN IP: 192.168.88.254
    LAN NET: 192.168.88.0/24

    
    −
     <ipsec><preferredoldsa><enable>−
     <tunnel><interface>wan</interface>
    −
     <local-subnet><network>lan</network></local-subnet> 
    <remote-subnet>192.168.88.0/24</remote-subnet>
    <remote-gateway>home.XXXXXXXX.net</remote-gateway>
     <dpddelay>−
     <p1><mode>aggressive</mode>
    −
     <myident><fqdn>office.XXXXXXX.net</fqdn></myident> 
    <encryption-algorithm>3des</encryption-algorithm>
    <hash-algorithm>md5</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>1200</lifetime>
    <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
     <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
    −
     <p2><protocol>esp</protocol>
    <encryption-algorithm-option>3des</encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <pfsgroup>2</pfsgroup>
    <lifetime>1200</lifetime></p2> 
    <descr>Site A <---> Site B</descr>
    <pinghost>192.168.88.254</pinghost></dpddelay></tunnel> 
     <preferoldsa></preferoldsa></enable></preferredoldsa></ipsec> 
    
    
     <rule><type>pass</type>
    <descr>Default LAN -> any</descr>
    <interface>lan</interface>
    −
    <source>
    <network>lan</network>
    
    −
     <destination><any></any></destination></rule> 
    −
     <rule><type>pass</type>
    <interface>enc0</interface>
     <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
     <os>−
    <source>
     <any>−
     <destination><any></any></destination> 
     <log><descr>any to any over ipsec</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
    
    

    Site B:

    m0n0wall 1.31
    WAN IP: fixed
    LAN IP: 192.168.77.254
    LAN NET: 192.168.77.0/24

     <tunnel><dpddelay><interface>wan</interface>
    −
     <local-subnet><network>lan</network></local-subnet> 
    <remote-subnet>192.168.77.0/24</remote-subnet>
    <remote-gateway>office.XXXXXX.net</remote-gateway>
    −
     <p1><mode>aggressive</mode>
    −
     <myident><fqdn>home.XXXXXXXX.net</fqdn></myident> 
    <encryption-algorithm>3des</encryption-algorithm>
    <hash-algorithm>md5</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>1200</lifetime>
    <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
     <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
    −
     <p2><protocol>esp</protocol>
    <encryption-algorithm-option>3des</encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <pfsgroup>2</pfsgroup>
    <lifetime>1200</lifetime></p2> 
    <descr>Site A <---> Site B</descr></dpddelay></tunnel> 
    
    
     <rule><type>pass</type>
    <descr>Default LAN -> any</descr>
    <interface>lan</interface>
    −
    <source>
    <network>lan</network>
    
    −
     <destination><any></any></destination></rule> 
    −
     <rule><type>pass</type>
    <interface>ipsec</interface>
    −
    <source>
     <any>−
     <destination><any></any></destination> 
    <descr>Default IPsec VPN</descr></any></rule> 
    

    The Tunnel is working after a fresh boot of the pfsense box. But only until the ISP changes the IP. After that happened the tunnel is beeing reestatblished but no traffic pass through

    Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP dynamicip[0]->fixedip[0] spi=215560106(0xcd92faa)
    Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP fixedip[0]->dynamicip[0] spi=66683697(0x3f98331)
    Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: respond new phase 2 negotiation: dynamicip[0]<=>fixedip[0]
    Apr 8 09:36:21 	racoon: [Site A <---> Site B]: INFO: ISAKMP-SA established dynamicip[500]-fixedip[500] spi:3e445b608827e73a:db4ceec3507b2aee
    

    I have to reboot the PFSENSE Box to get the tunnel working again.

    [root@fw01.waedtgmbh.local]/root(1): ping 192.168.88.254
    PING 192.168.88.254 (192.168.88.254): 56 data bytes
    36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  20 5400 4cc3   0 0000  3f  01 33be 85.181.139.172  192.168.88.254
    
    36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
    Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
     4  5  20 5400 8a4b   0 0000  3f  01 f635 85.181.139.172  192.168.88.254
    

    This is the ping output from the pfsense ssh shell. i tried to ping the lan ip of the remote gateway and it seems that pfsense ist routing this traffic to its default gateway , which is in my case hansenet.

    any help woul be really really apreciated. rebooting the pfsense box once a day is not so funny.

    regards
    martin



  • switch to site-site OpenVPN and I think you will see your VPN problems disappear.   I love IPSec but I haven't found it to be reliable unless both ends have a static IP.  site-site OpenVPN has been rock solid with one end static and the other end dynamic.

    Roy…


Log in to reply