Ipsec tunnel stalled if peer ip is updated
… until restarting racoon.
DPD is enabled, but racoon didn't recognize, that the other side doesn't respond.
Changing "Proposal Checking" doesn't work.
eri-- last edited by
Please provide logs and more through detailed description of your setup.
jlepthien last edited by
Is it a pfSense to pfSense VPN? If it is not a pfSense box on the other end try disabling DPD.
Also check System-Advanced-Misc if you enabled the 'Prefer older IPsec SAs' checkbox…
Also ermal meant logfile outputs, not the config...
First i had to collect new logfiles.
Prefer older IPsec SAs is disabled.
I'm using a bintec R1200 and DPD works. I have 10 more bintec routers, which work perfect if no ip changes.
15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: received request sequence 447
15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: sent response sequence 447
If i restart the DSL (to get new IP) on the bintec the bintec tries to connect to the pfsense.
The pfsense log:
racoon: [peer1]: WARNING: remote address mismatched. db=18.104.22.168, act=22.214.171.124
racoon: ERROR: couldn't find configuration.
But the pfsense didn't recognice the missing response on DPD and don't try to connect the bintec.
I think the pfsense never tries to connect the bintec.
Now i deleted the peer address on the bintec. So it can not connect to the pfsense.
If i reset the ipsec tunnel the sas on the pfsense are deleted and the tunnel is reconnected.
But if i reset the dsl interface the sa are not deleted and the pfsense didn't try to connect.
Dec 6 16:21:55 racoon: [peer1]: WARNING: remote address mismatched. db=126.96.36.199, act=188.8.131.52
Dec 6 16:22:01 last message repeated 3 times
Dec 6 16:22:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 184.108.40.206-220.127.116.11 spi:4f16c0ea903cc9b3:947e20042effbb12
Dec 6 16:22:02 racoon: INFO: DPD: remote (ISAKMP-SA spi=4f16c0ea903cc9b3:947e20042effbb12) seems to be dead.
Dec 6 16:22:03 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 18.104.22.168-22.214.171.124 spi:4f16c0ea903cc9b3:947e20042effbb12
If i enable the bintec to connect the pfsense i get:
racoon: ERROR: couldn't find configuration
eri-- last edited by
Do you have any entry similar to this in logs?
'Reloading IPsec tunnel' etc….......
Sorry, I don't have such nice things.