IPSec stops working after IP Change on one Site
-
Hello forum,
after googling my ass off and browsing/searching the pfsense forums/lists for hours i decided to post and hope to get some help with my IPSec Problem.
Setup:
Site A:
PFSense 1.2.3-RELEASE
WAN IP: dynamic with DYNDNS
LAN IP: 192.168.88.254
LAN NET: 192.168.88.0/24− <ipsec><preferredoldsa><enable>− <tunnel><interface>wan</interface> − <local-subnet><network>lan</network></local-subnet> <remote-subnet>192.168.88.0/24</remote-subnet> <remote-gateway>home.XXXXXXXX.net</remote-gateway> <dpddelay>− <p1><mode>aggressive</mode> − <myident><fqdn>office.XXXXXXX.net</fqdn></myident> <encryption-algorithm>3des</encryption-algorithm> <hash-algorithm>md5</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>1200</lifetime> <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key> <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> − <p2><protocol>esp</protocol> <encryption-algorithm-option>3des</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_md5</hash-algorithm-option> <pfsgroup>2</pfsgroup> <lifetime>1200</lifetime></p2> <descr>Site A <---> Site B</descr> <pinghost>192.168.88.254</pinghost></dpddelay></tunnel> <preferoldsa></preferoldsa></enable></preferredoldsa></ipsec><rule><type>pass</type> <descr>Default LAN -> any</descr> <interface>lan</interface> − <source> <network>lan</network> − <destination><any></any></destination></rule> − <rule><type>pass</type> <interface>enc0</interface> <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype> <os>− <source> <any>− <destination><any></any></destination> <log><descr>any to any over ipsec</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>Site B:
m0n0wall 1.31
WAN IP: fixed
LAN IP: 192.168.77.254
LAN NET: 192.168.77.0/24<tunnel><dpddelay><interface>wan</interface> − <local-subnet><network>lan</network></local-subnet> <remote-subnet>192.168.77.0/24</remote-subnet> <remote-gateway>office.XXXXXX.net</remote-gateway> − <p1><mode>aggressive</mode> − <myident><fqdn>home.XXXXXXXX.net</fqdn></myident> <encryption-algorithm>3des</encryption-algorithm> <hash-algorithm>md5</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>1200</lifetime> <pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key> <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> − <p2><protocol>esp</protocol> <encryption-algorithm-option>3des</encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <hash-algorithm-option>hmac_md5</hash-algorithm-option> <pfsgroup>2</pfsgroup> <lifetime>1200</lifetime></p2> <descr>Site A <---> Site B</descr></dpddelay></tunnel><rule><type>pass</type> <descr>Default LAN -> any</descr> <interface>lan</interface> − <source> <network>lan</network> − <destination><any></any></destination></rule> − <rule><type>pass</type> <interface>ipsec</interface> − <source> <any>− <destination><any></any></destination> <descr>Default IPsec VPN</descr></any></rule>The Tunnel is working after a fresh boot of the pfsense box. But only until the ISP changes the IP. After that happened the tunnel is beeing reestatblished but no traffic pass through
Apr 8 09:36:22 racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP dynamicip[0]->fixedip[0] spi=215560106(0xcd92faa) Apr 8 09:36:22 racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP fixedip[0]->dynamicip[0] spi=66683697(0x3f98331) Apr 8 09:36:22 racoon: [Site A <---> Site B]: INFO: respond new phase 2 negotiation: dynamicip[0]<=>fixedip[0] Apr 8 09:36:21 racoon: [Site A <---> Site B]: INFO: ISAKMP-SA established dynamicip[500]-fixedip[500] spi:3e445b608827e73a:db4ceec3507b2aeeI have to reboot the PFSENSE Box to get the tunnel working again.
[root@fw01.waedtgmbh.local]/root(1): ping 192.168.88.254 PING 192.168.88.254 (192.168.88.254): 56 data bytes 36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 20 5400 4cc3 0 0000 3f 01 33be 85.181.139.172 192.168.88.254 36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 20 5400 8a4b 0 0000 3f 01 f635 85.181.139.172 192.168.88.254This is the ping output from the pfsense ssh shell. i tried to ping the lan ip of the remote gateway and it seems that pfsense ist routing this traffic to its default gateway , which is in my case hansenet.
any help woul be really really apreciated. rebooting the pfsense box once a day is not so funny.
regards
martin -
switch to site-site OpenVPN and I think you will see your VPN problems disappear. I love IPSec but I haven't found it to be reliable unless both ends have a static IP. site-site OpenVPN has been rock solid with one end static and the other end dynamic.
Roy…