Ipsec tunnel stalled if peer ip is updated

  • … until restarting racoon.

    DPD is enabled, but racoon didn't recognize, that the other side doesn't respond.

    Changing "Proposal Checking" doesn't work.

  • Please provide logs and more through detailed description of your setup.

  • <phase1><ikeid>5</ikeid>






  • Is it a pfSense to pfSense VPN? If it is not a pfSense box on the other end try disabling DPD.
    Also check System-Advanced-Misc if you enabled the 'Prefer older IPsec SAs' checkbox…

    Also ermal meant logfile outputs, not the config...

  • First i had to collect new logfiles.
    Prefer older IPsec SAs is disabled.

    I'm using a bintec R1200 and DPD works. I have 10 more bintec routers, which work perfect if no ip changes.
    15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: received request sequence 447
    15:33:29 DEBUG/IPSEC: P1: peer 1 (ZMT) sa 6 (I): DPD: sent response sequence 447

    If i restart the DSL (to get new IP) on the bintec the bintec tries to connect to the pfsense.
    The pfsense log:
    racoon: [peer1]: WARNING: remote address mismatched. db=[500], act=[500]
    racoon: ERROR: couldn't find configuration.

    But the pfsense didn't recognice the missing response on DPD and don't try to connect the bintec.

    I think the pfsense never tries to connect the bintec.

  • Now i deleted the peer address on the bintec. So it can not connect to the pfsense.

    If i reset the ipsec tunnel the sas on the pfsense are deleted and the tunnel is reconnected.
    But if i reset the dsl interface the sa are not deleted and the pfsense didn't try to connect.

    Dec 6 16:21:55 racoon: [peer1]: WARNING: remote address mismatched. db=[500], act=[500]
    Dec 6 16:22:01 last message repeated 3 times
    Dec 6 16:22:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA expired[500]-[500] spi:4f16c0ea903cc9b3:947e20042effbb12
    Dec 6 16:22:02 racoon: INFO: DPD: remote (ISAKMP-SA spi=4f16c0ea903cc9b3:947e20042effbb12) seems to be dead.
    Dec 6 16:22:03 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA deleted[500]-[500] spi:4f16c0ea903cc9b3:947e20042effbb12

    If i enable the bintec to connect the pfsense i get:
    racoon: ERROR: couldn't find configuration

  • Do you have any entry similar to this in logs?
    'Reloading IPsec tunnel' etc….......

  • Sorry, I don't have such nice things.

Log in to reply