Ipsec dies after a while



  • Hi,
    I'm running pfsense with ipsec configured to several sites running all zyxel zywall as vpn appliances. The vpns are working great, but sometimes they "freeze", that means that no traffic at all passes the vpn. I've tried to make a "ping host" option to keep the vpn alive, but it didn't solved the problem, and the logs (under system->logs->ipsec) does not show me any error or vpn tunnel down. The SA are all running under the ipsec status report.
    If I restart the ipsec service all the vpns starts to work immediatly.
    Any idea on how to investigate?


  • Rebel Alliance Developer Netgate

    Have you tried to check System > Advanced, Prefer old IPsec SAs?



  • Thanks,
    I've checked and I will see if this works.
    IN the meantime I've found in the logs this message that could be related to your suggestion:

    racoon: ERROR: phase2 negotiation failed due to phase1 expired. 0266fcd8447abd70:10c4cae581ed1e19:00009cf8
    


  • No way, today the vpns were died again, and the only way to restore them was to disable adn enable again the ipsec service.
    The only thing I found in the ipsec logs are the following lines:

    
    May 24 06:43:55 	racoon: WARNING: trns_id mismatched: my:3DES peer:DES
    May 24 06:43:55 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
    May 24 06:43:55 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
    May 24 06:43:55 	racoon: WARNING: trns_id mismatched: my:3DES peer:DES
    
    

    This seems to me something that has nothing to do with my vpns, since this error should make impossible to establish the connection.
    If when the vpn is dead I connect to the shell of the pfsense box and try to ping an host on the other side of the tunnel, I see in the logs that the connection seems established.
    This is quite problematic and I'd like to find a solution as soon as possible. Any idea?



  • Maybe one detail that can be interesting: the ipsec connection is closed during the night, so when it is unused.
    However I've got a ping host definition into the ipsec rule.



  • This night I left a ping from one machine on a side of the tunnel to another machine, and the ipsec didn't die. This means that the tunnel is "broken" when no more traffic passes in?
    Moreover, I found this in the ipsec logs, maybe it is helpful to find out what the problem is:

    
    May 25 06:00:15 	racoon: [Net1 <-> Net2]: ERROR: pfkey DELETE received: ESP 85.XX.XX.XX[0]->85.XX.XX.XX[0] spi=396881936(0x17a7f010)
    May 25 06:00:15 	racoon: [Net1 <-> Net2]: INFO: IPsec-SA established: ESP 85.XX.XX.XX[0]->85.XX.XX.XX[0] spi=2994476771(0xb27c16e3)
    May 25 06:00:15 	racoon: [Net1 <-> Net2]: INFO: IPsec-SA established: ESP 85.XX.XX.XX[0]->85.XX.XX.XX[0] spi=62108670(0x3b3b3fe)
    
    

    Any idea about the pfkey delete?



  • when checking into my own problems i saw this remembered it

    http://doc.pfsense.org/index.php/IPsec_Troubleshooting

    ERROR: pfkey DELETE received

    You might see this message repeatedly as Phase 2 is renegotiated between two endpoints (for multiple subnets). The tunnels still work, but traffic may be delayed while the tunnel is switched/reestablished. (more research needed for possible solutions)


Locked