Racoon must be restarted after a PPTP client disconnects
If a PPTP client disconnects from the public interface on WAN1 (pppoe, dynamic IP), all active TCP sessions that go through IPsec tunnels vi WAN2 (PPPoE, fixed IP) are interrupted and it is not possible to reconnect.
The IPsec tunnels stay connected all the time (IPsec status page, IPsec log).
Reloading the Firewall rules does not help, reloading the IPsec configuration does not help, but manually restarting the racoon service makes it possible to re-establish the connections through the IPsec tunnels.
I did tests with several versions of pfSense starting from 30.08. until 19.09. but they behave all in the same way.
Here is my set-up in more detail:
/- WAN1 (PPPoE, dynamic IP, tier 1, PPTP server) -
internal LAN –- LAN - pfsense --- WAN2 (PPPoE, fixed IP, tier 1, IPsec endpoint) --- internet (PPTP clients, Cisco ASA, etc.)
- WAN3 (PPPoE, dynamic IP, tier 1) -/
I have a FW rule for the LAN interface that sends all traffic coming from the internal LAN and going to the remote side of the IPsec tunnel to the default gateway. This seems works pretty well for the outgoing traffic via IPsec tunnel.
I tried to find out how racoon works on pfSense (no "visible" interfaces) but failed to find any conclusive documentation (route and ifconfig do not work here).
There is no logging that points to an obvious error.
Currently I assume that there may be an issue with mpd or pfctrl because they are called when the PPTP client disconnects.
Any help is appreciated :)
I'd be curious to know if you go back to August 8th-August 10th or so if the same thing happens.
Around that time we backed ipsec-tools (which includes racoon) down to 0.7.3 from 0.8 because of other issues.
Any snapshot before this commit should be on ipsec-tools 0.8:
commit 2c46f8f543a7f022bf432b1efb9c64dadc6e0a31 Author: jim-p Date: Tue Aug 10 12:42:54 2010 -0400 Bump ipsec-tools to 0.7.3 and switch from ipsec-tools-devel to ipsec-tools, to see if it behaves better than 0.8
If I remember correctly, I did just that yesterday by starting with pfSense 1.2.3 that was initially on my ALIX box and upgrading that to 2.0 BETA4 from 6th of August using the configuration I backed up from 2.0 BETA4 from 30th of August.
Currently I am using 2.0 BETA4 from 30th of August and live with the minor inconvenience of the gateway/loadbalancing problem.
There is a new interesting phenomena here: Yesterday I booted the box several times and did tests with a outgoing IPsec tunnel and an incoming PPTP connection and I always had to restart racoon manually after the PPTP connection was closed by the client to get data through the tunnel again.
From yesterday to today the box stayed up. The WAN1 and WAN2 are explicitly disconnected on schedule at 1:00 am respectively 3:00 am. According to the logs racoon was automatically restarted each time although the IPsec connection is defined for the WAN2 interface with the fixed I that does not need to be disconnected and reconnected. Now I can connect and disconnect the PPTP client and do not need to restart racoon to get new data through the tunnel. Because I am currently on the PPTP side I do not know if active connections through the tunnel get disconnected when the PPTP client disconnects (but I will try to find out later).
The net result is: pfsense 2.0 BETA4 from 30th of August operates differently in respected to the problem when booting or manually restarting racoon :( or when a PPPoE link is disconnected and reconnected on schedule :).
Just tested if outgoing session through IPsec tunnel stays up if a PPTP clients disconnects with 2.0 BETA4 from 30th of August.
The answer is: No it doesn't (but reconnecting works without restarting racoon).