Ipsec tunnel stalled if peer ip is updated



  • … until restarting racoon.

    DPD is enabled, but racoon didn't recognize, that the other side doesn't respond.

    Changing "Proposal Checking" doesn't work.



  • Please provide logs and more through detailed description of your setup.



  • <phase1><ikeid>5</ikeid>
                            <interface>wan</interface>
                            <remote-gateway>xxxx.dyndns.org</remote-gateway>
                            <mode>aggressive</mode>
                            <myid_type>fqdn</myid_type>
                            <myid_data>hq1</myid_data>
                            <peerid_type>fqdn</peerid_type>
                            <peerid_data>xxxx</peerid_data>
                            <encryption-algorithm><name>aes</name>
                                    <keylen>128</keylen></encryption-algorithm>
                            <hash-algorithm>md5</hash-algorithm>
                            <dhgroup>2</dhgroup>
                            <lifetime>3600</lifetime>
                            <pre-shared-key>xxxxxxxxxxxxxxxxxxxxxxx</pre-shared-key>
                            <private-key><certref>4cdc19617089e</certref>
                            <caref><authentication_method>pre_shared_key</authentication_method>
                            <proposal_check>claim</proposal_check>

    <nat_traversal>off</nat_traversal>
                            <dpd_delay>10</dpd_delay>
                            <dpd_maxfail>5</dpd_maxfail></caref></private-key></phase1>
                    <phase2><ikeid>5</ikeid>
                            <mode>tunnel</mode>
                            <localid><type>network</type>

    <address>10.19.0.0</address>

    <netbits>22</netbits></localid>
                            <remoteid><type>network</type>

    <address>192.168.1.0</address>

    <netbits>24</netbits></remoteid>
                            <protocol>esp</protocol>
                            <encryption-algorithm-option><name>aes</name>
                                    <keylen>128</keylen></encryption-algorithm-option>
                            <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                            <pfsgroup>5</pfsgroup>
                            <lifetime>3600</lifetime>
                            <pinghost>192.168.1.1</pinghost></phase2>



  • Is it a pfSense to pfSense VPN? If it is not a pfSense box on the other end try disabling DPD.
    Also check System-Advanced-Misc if you enabled the 'Prefer older IPsec SAs' checkbox…

    Also ermal meant logfile outputs, not the config...



  • First i had to collect new logfiles.
    Prefer older IPsec SAs is disabled.

    I'm using a bintec R1200 and DPD works. I have 10 more bintec routers, which work perfect if no ip changes.
    15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: received request sequence 447
    15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: sent response sequence 447

    If i restart the DSL (to get new IP) on the bintec the bintec tries to connect to the pfsense.
    The pfsense log:
    racoon: [peer1]: WARNING: remote address mismatched. db=79.202.115.217[500], act=84.168.159.32[500]
    racoon: ERROR: couldn't find configuration.

    But the pfsense didn't recognice the missing response on DPD and don't try to connect the bintec.

    I think the pfsense never tries to connect the bintec.



  • Now i deleted the peer address on the bintec. So it can not connect to the pfsense.

    If i reset the ipsec tunnel the sas on the pfsense are deleted and the tunnel is reconnected.
    But if i reset the dsl interface the sa are not deleted and the pfsense didn't try to connect.

    Dec 6 16:21:55 racoon: [peer1]: WARNING: remote address mismatched. db=84.168.159.32[500], act=84.168.184.54[500]
    Dec 6 16:22:01 last message repeated 3 times
    Dec 6 16:22:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired 178.26.171.103[500]-84.168.159.32[500] spi:4f16c0ea903cc9b3:947e20042effbb12
    Dec 6 16:22:02 racoon: INFO: DPD: remote (ISAKMP-SA spi=4f16c0ea903cc9b3:947e20042effbb12) seems to be dead.
    Dec 6 16:22:03 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted 178.26.171.103[500]-84.168.159.32[500] spi:4f16c0ea903cc9b3:947e20042effbb12

    If i enable the bintec to connect the pfsense i get:
    racoon: ERROR: couldn't find configuration



  • Do you have any entry similar to this in logs?
    'Reloading IPsec tunnel' etc….......



  • Sorry, I don't have such nice things.


Log in to reply