Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec stops working after IP Change on one Site

    IPsec
    2
    2
    2710
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dude140678 last edited by

      Hello forum,

      after googling my ass off and browsing/searching the pfsense forums/lists for hours i decided to post and hope to get some help with my IPSec Problem.

      Setup:

      Site A:

      PFSense 1.2.3-RELEASE
      WAN IP: dynamic with DYNDNS
      LAN IP: 192.168.88.254
      LAN NET: 192.168.88.0/24

      
      −
       <ipsec><preferredoldsa><enable>−
       <tunnel><interface>wan</interface>
      −
       <local-subnet><network>lan</network></local-subnet> 
      <remote-subnet>192.168.88.0/24</remote-subnet>
      <remote-gateway>home.XXXXXXXX.net</remote-gateway>
       <dpddelay>−
       <p1><mode>aggressive</mode>
      −
       <myident><fqdn>office.XXXXXXX.net</fqdn></myident> 
      <encryption-algorithm>3des</encryption-algorithm>
      <hash-algorithm>md5</hash-algorithm>
      <dhgroup>2</dhgroup>
      <lifetime>1200</lifetime>
      <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
       <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
      −
       <p2><protocol>esp</protocol>
      <encryption-algorithm-option>3des</encryption-algorithm-option>
      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
      <hash-algorithm-option>hmac_md5</hash-algorithm-option>
      <pfsgroup>2</pfsgroup>
      <lifetime>1200</lifetime></p2> 
      <descr>Site A <---> Site B</descr>
      <pinghost>192.168.88.254</pinghost></dpddelay></tunnel> 
       <preferoldsa></preferoldsa></enable></preferredoldsa></ipsec> 
      
      
       <rule><type>pass</type>
      <descr>Default LAN -> any</descr>
      <interface>lan</interface>
      −
      <source>
      <network>lan</network>
      
      −
       <destination><any></any></destination></rule> 
      −
       <rule><type>pass</type>
      <interface>enc0</interface>
       <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
       <os>−
      <source>
       <any>−
       <destination><any></any></destination> 
       <log><descr>any to any over ipsec</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule> 
      
      

      Site B:

      m0n0wall 1.31
      WAN IP: fixed
      LAN IP: 192.168.77.254
      LAN NET: 192.168.77.0/24

       <tunnel><dpddelay><interface>wan</interface>
      −
       <local-subnet><network>lan</network></local-subnet> 
      <remote-subnet>192.168.77.0/24</remote-subnet>
      <remote-gateway>office.XXXXXX.net</remote-gateway>
      −
       <p1><mode>aggressive</mode>
      −
       <myident><fqdn>home.XXXXXXXX.net</fqdn></myident> 
      <encryption-algorithm>3des</encryption-algorithm>
      <hash-algorithm>md5</hash-algorithm>
      <dhgroup>2</dhgroup>
      <lifetime>1200</lifetime>
      <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
       <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
      −
       <p2><protocol>esp</protocol>
      <encryption-algorithm-option>3des</encryption-algorithm-option>
      <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
      <hash-algorithm-option>hmac_md5</hash-algorithm-option>
      <pfsgroup>2</pfsgroup>
      <lifetime>1200</lifetime></p2> 
      <descr>Site A <---> Site B</descr></dpddelay></tunnel> 
      
      
       <rule><type>pass</type>
      <descr>Default LAN -> any</descr>
      <interface>lan</interface>
      −
      <source>
      <network>lan</network>
      
      −
       <destination><any></any></destination></rule> 
      −
       <rule><type>pass</type>
      <interface>ipsec</interface>
      −
      <source>
       <any>−
       <destination><any></any></destination> 
      <descr>Default IPsec VPN</descr></any></rule> 
      

      The Tunnel is working after a fresh boot of the pfsense box. But only until the ISP changes the IP. After that happened the tunnel is beeing reestatblished but no traffic pass through

      Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP dynamicip[0]->fixedip[0] spi=215560106(0xcd92faa)
      Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP fixedip[0]->dynamicip[0] spi=66683697(0x3f98331)
      Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: respond new phase 2 negotiation: dynamicip[0]<=>fixedip[0]
      Apr 8 09:36:21 	racoon: [Site A <---> Site B]: INFO: ISAKMP-SA established dynamicip[500]-fixedip[500] spi:3e445b608827e73a:db4ceec3507b2aee
      

      I have to reboot the PFSENSE Box to get the tunnel working again.

      [root@fw01.waedtgmbh.local]/root(1): ping 192.168.88.254
      PING 192.168.88.254 (192.168.88.254): 56 data bytes
      36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  20 5400 4cc3   0 0000  3f  01 33be 85.181.139.172  192.168.88.254
      
      36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
      Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
       4  5  20 5400 8a4b   0 0000  3f  01 f635 85.181.139.172  192.168.88.254
      

      This is the ping output from the pfsense ssh shell. i tried to ping the lan ip of the remote gateway and it seems that pfsense ist routing this traffic to its default gateway , which is in my case hansenet.

      any help woul be really really apreciated. rebooting the pfsense box once a day is not so funny.

      regards
      martin

      1 Reply Last reply Reply Quote 0
      • R
        rpsmith last edited by

        switch to site-site OpenVPN and I think you will see your VPN problems disappear.   I love IPSec but I haven't found it to be reliable unless both ends have a static IP.  site-site OpenVPN has been rock solid with one end static and the other end dynamic.

        Roy…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post

        Products

        • Platform Overview
        • TNSR
        • pfSense
        • Appliances

        Services

        • Training
        • Professional Services

        Support

        • Subscription Plans
        • Contact Support
        • Product Lifecycle
        • Documentation

        News

        • Media Coverage
        • Press
        • Events

        Resources

        • Blog
        • FAQ
        • Find a Partner
        • Resource Library
        • Security Information

        Company

        • About Us
        • Careers
        • Partners
        • Contact Us
        • Legal
        Our Mission

        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

        Subscribe to our Newsletter

        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

        © 2021 Rubicon Communications, LLC | Privacy Policy