IPSec tunnel drops, Multiple SADs listed

hugo

I have an IPSec tunnel between sites and it sometime gets into the situation where one site has multiple SA's associated and traffic stops flowing. When I remove the associations not listed on the other firewall, traffic starts flowing again. The "good side" is running 1.2.3, the "bad side" is running 2.0 beta 5 (Jan14th), but also happened when it was still running 1.2.3. Configurations on both are the same and also have 'Prefer old IPsec SAs' enabled.

Any ideas?

muffin

I have also been having this problem and its been bugging me for weeks now..
My setup was:

Side A: IPCop 1.4.21
Side B: IPCop 1.4.21

Replaced Side B with pfSense 2.0 BETA4, started having issues. I was running BETA4 1 Dec 2010 release because this has been the most stable for my particular setup. I updated to the most recent (2.0-BETA5 Mon Jan 17) but still getting this issue.

The VPN stays open the whole time however after approx 3-4hrs both sides loose connectivity (can no longer ping either way). I also get the multiple SAD entries. Quickest fix is to restart raccoon.
I think the cause may be that Side A has a fairly unstable connection and drops out multiple times a day, however it was fine when it was IPCop - IPCop.
I have similar setups (pfSense 2.0 BETA - IPCop 1.4.21 IPSec) running flawlessly.
I have tried various encryptions and adjusted the lifetime for IKE and ESP at both ends. Current encryption is Blowfish 256 bits SHA1.
There are also two other IPSec tunnels on this system, both connecting to IPCop firewalls at the other end, and they are fine.

Not sure what to try next? Lower lifetime maybe?

jimp

System > Advanced, Misc tab, check "Prefer older IPsec SAs"

hugo

… and also have 'Prefer old IPsec SAs' enabled

jimp

Must have missed it :-)

Double check that it really is active. Diagnostics > Command, shell execute:

sysctl net.key.preferred_oldsa

If it's enabled, you should get back

net.key.preferred_oldsa: 1

hugo

np.

On the fw listed "bad" running 2.0 beta 5:

net.key.preferred_oldsa: -30

On the fw listed as "good" running 1.2.3:

net.key.preferred_oldsa: 0

Though the check box under System->Advanced->Misc is checked…

jimp

Yeah, -30 is right, I just checked against a router I had with it enabled. 0 is off, though.

hugo

hmmm… was there a bug in 1.2.3, not respecting <preferoldsa>in the config? But in anycase, does that explain why the other side whose setting is correct, -30, is the one with the SAs stacking up like that?</preferoldsa>

jimp

Regardless of the setting, they still stack up. The setting just tells it to keep using the old one even though a new one was generated.

hugo

Did some other searching and answered the first part. Yes, there was a bug:

        if(isset($config['ipsec']['preferoldsa'])) {
                mwexec("/sbin/sysctl net.key.preferred_oldsa=0");
        } else {
                mwexec("/sbin/sysctl -w net.key.preferred_oldsa=-30");
        }

So if I disable it in the gui, it should enable it :-), that's fine, it's fixed in the new version.

I had to delete multiple SAs from the side running beta5, that was already configured properly. So was the side with it not set really causing the problem?

muffin

Prefer older IPsec SAs was ticked for me, however i unticked it last night and it stayed up overnight.. which is rare.

If the IPCop side drops out (which it does quite regularly), then a new SA would be issued? So having that option checked meant pfSense was using an outdated SA?