One way traffic

  • I have an issue were I get 1 way traffic with PFsense. As far as I can make out is that PFsense doesn't always tear down the old tunnel when the new one is created. This I believe makes PF use the old tunnels rather than the new ones.

    I am having this issue connecting to Cisco and draytek kits. I tried to resolve this by setting the DPD to 5 but yet the old tunnel stays up when the other side doesn't have anything shown. When the one way comms occur in the SAD page you can see that their are 4 tunnels instead of just one. The old way I have found to fix this is to delete the old tunnels.

    Does anyone have any suggestions on what is causing this.

  • Rebel Alliance Developer Netgate

    System > Advanced, check "Prefer old IPsec SAs"

    I've had to check that often when working with devices from other vendors.

  • Cool thanks will give it a try.

  • Should the DPD not detect the dead tunnels?

  • Rebel Alliance Developer Netgate

    I believe DPD happens at the phase 1 (ISAKMP SA) level and not at the Phase 2 (IPsec SA) level where this issue happens.

  • Hmmm this is a tuff one as the issue has been made easier with the above fix but hasn't fixed it. As right no I have 10 inbound connections and 2 outbound with a draytek 2820. So this is a problem somewhere.

  • Is there anyway to fix this to stop multiple tunnel to be created per VPN subnet.

  • Does anyone have any ideas how to stop this multiple tunnel issue.

Log in to reply