Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec stops working after IP Change on one Site

    IPsec
    2
    2
    2.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dude140678
      last edited by

      Hello forum,

      after googling my ass off and browsing/searching the pfsense forums/lists for hours i decided to post and hope to get some help with my IPSec Problem.

      Setup:

      Site A:

      PFSense 1.2.3-RELEASE
      WAN IP: dynamic with DYNDNS
      LAN IP: 192.168.88.254
      LAN NET: 192.168.88.0/24

      
−
 <ipsec><preferredoldsa><enable>−
 <tunnel><interface>wan</interface>
−
 <local-subnet><network>lan</network></local-subnet> 
<remote-subnet>192.168.88.0/24</remote-subnet>
<remote-gateway>home.XXXXXXXX.net</remote-gateway>
 <dpddelay>−
 <p1><mode>aggressive</mode>
−
 <myident><fqdn>office.XXXXXXX.net</fqdn></myident> 
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>1200</lifetime>
<pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
−
 <p2><protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>1200</lifetime></p2> 
<descr>Site A <---> Site B</descr>
<pinghost>192.168.88.254</pinghost></dpddelay></tunnel> 
 <preferoldsa></preferoldsa></enable></preferredoldsa></ipsec> 

      
 <rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
−
<source>
<network>lan</network>

−
 <destination><any></any></destination></rule> 
−
 <rule><type>pass</type>
<interface>enc0</interface>
 <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
 <os>−
<source>
 <any>−
 <destination><any></any></destination> 
 <log><descr>any to any over ipsec</descr></log></any></os></statetimeout></max-src-states></max-src-nodes></rule>

      Site B:

      m0n0wall 1.31
      WAN IP: fixed
      LAN IP: 192.168.77.254
      LAN NET: 192.168.77.0/24

       <tunnel><dpddelay><interface>wan</interface>
−
 <local-subnet><network>lan</network></local-subnet> 
<remote-subnet>192.168.77.0/24</remote-subnet>
<remote-gateway>office.XXXXXX.net</remote-gateway>
−
 <p1><mode>aggressive</mode>
−
 <myident><fqdn>home.XXXXXXXX.net</fqdn></myident> 
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>1200</lifetime>
<pre-shared-key>mysupersecretandverysecurepsk</pre-shared-key>
 <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1> 
−
 <p2><protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>1200</lifetime></p2> 
<descr>Site A <---> Site B</descr></dpddelay></tunnel> 


       <rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
−
<source>
<network>lan</network>

−
 <destination><any></any></destination></rule> 
−
 <rule><type>pass</type>
<interface>ipsec</interface>
−
<source>
 <any>−
 <destination><any></any></destination> 
<descr>Default IPsec VPN</descr></any></rule>

      The Tunnel is working after a fresh boot of the pfsense box. But only until the ISP changes the IP. After that happened the tunnel is beeing reestatblished but no traffic pass through

      Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP dynamicip[0]->fixedip[0] spi=215560106(0xcd92faa)
Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: IPsec-SA established: ESP fixedip[0]->dynamicip[0] spi=66683697(0x3f98331)
Apr 8 09:36:22 	racoon: [Site A <---> Site B]: INFO: respond new phase 2 negotiation: dynamicip[0]<=>fixedip[0]
Apr 8 09:36:21 	racoon: [Site A <---> Site B]: INFO: ISAKMP-SA established dynamicip[500]-fixedip[500] spi:3e445b608827e73a:db4ceec3507b2aee

      I have to reboot the PFSENSE Box to get the tunnel working again.

      [root@fw01.waedtgmbh.local]/root(1): ping 192.168.88.254
PING 192.168.88.254 (192.168.88.254): 56 data bytes
36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  20 5400 4cc3   0 0000  3f  01 33be 85.181.139.172  192.168.88.254

36 bytes from ae0-101.cr02.muc.de.hansenet.net (213.191.88.94): Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  20 5400 8a4b   0 0000  3f  01 f635 85.181.139.172  192.168.88.254

      This is the ping output from the pfsense ssh shell. i tried to ping the lan ip of the remote gateway and it seems that pfsense ist routing this traffic to its default gateway , which is in my case hansenet.

      any help woul be really really apreciated. rebooting the pfsense box once a day is not so funny.

      regards
      martin

      1 Reply Last reply Reply Quote 0
      • R
        rpsmith
        last edited by

        switch to site-site OpenVPN and I think you will see your VPN problems disappear.   I love IPSec but I haven't found it to be reliable unless both ends have a static IP.  site-site OpenVPN has been rock solid with one end static and the other end dynamic.

        Roy…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.