IPSEC tunnels keep going down between 2.0 and 1.2.3



  • Every few hours my trunk between my 2.0 and 1.2.3 will go down.

    To bring them back up, I login to the 1.2.3 pfsnese and delete the first three SAD keys binding the two together.

    They look like this

    20.20.20.20 	10.10.10.10 	ESP 	03e87c1c 	3des-cbc 	hmac-md5
    

    The 2.0 logs show this

    
    Apr 1 00:22:05 	racoon: [Lexington]: INFO: ISAKMP-SA deleted 10.10.10.10[500]-20.20.20.20[500] spi:cba1fdb8aa90d7df:0086c5a874dea4d3
    Apr 1 00:22:14 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Apr 1 00:22:14 	racoon: INFO: received Vendor ID: DPD
    Apr 1 00:22:14 	racoon: [20.20.20.20] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Apr 1 00:22:14 	racoon: [Lexington]: INFO: ISAKMP-SA established 10.10.10.10[500]-20.20.20.20[500] spi:1eb67cdcac0453e4:bcbd5e115b918403
    Apr 1 00:22:15 	racoon: [Lexington]: INFO: initiate new phase 2 negotiation: 10.10.10.10[500]<=>20.20.20.20[500]
    Apr 1 00:22:15 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=12082165(0xb85bf5)
    Apr 1 00:22:15 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=77822915(0x4a37bc3)
    Apr 1 00:34:02 	racoon: INFO: purged IPsec-SA proto_id=ESP spi=77822915.
    Apr 1 00:34:08 	racoon: [Lexington]: INFO: respond new phase 2 negotiation: 10.10.10.10[500]<=>20.20.20.20[500]
    Apr 1 00:34:08 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=65567772(0x3e87c1c)
    Apr 1 00:34:08 	racoon: [Lexington]: INFO: IPsec-SA established: ESP 10.10.10.10[500]->20.20.20.20[500] spi=39298724(0x257a6a4)
    
    

    Please help…



  • Bump



  • I'm seeing the same thing.

    We have 3 sites with IPSEC tunnels between them - all were running 1.2.3 and everything was fine.

    Upgraded one site to 2.0 RC1 and now the tunnels keep dropping.

    In my case, I've been restarting the racoon service on the 2.0 box and then one of the tunnels starts right back up.  I have to ping a host in the other networks for the other to come back alive again.

    Ideas?  Need more info?



  • alanbryan i got absolutely same problem ,it works only after restart racoon service on main office's PF 2.0 RC1,ipsec tunnel disconnected overnight.

    and same problem between 2.0 RC1 and 2.0 RC1,i have tested both configurations



  • Turn off DPD when using 1.2.3 -> 2.0 most likely.



  • sullrich thank you for reply,

    i'm trying with dpf off with pf 1.2.3,i think problem in pf 2.0 RC1 site.I opened new discussion on 2.0 RC1 forum(http://forum.pfsense.org/index.php/topic,35487.0.html) with config and log infos.

    But nobody answered yet :(



  • Thanks Scott!  I've turned of DPD and will report back in a few days on my findings.



  • at last i found my periodically ipsec disconnect problem after researching in redmine,i'm using pptp from home to connect corporate PF 2.0 RC1 firewall.
    Same issue as Chris Buechler described in  bug 1421 (http://redmine.pfsense.org/issues/1421),today i noticed that after my pptp disconnect all ipsec tunnels disconnecting.I can supply any log and configs for deeper research.

    regards.



  • DPD off on the 2.0 side doesn't appear to have made any change for us.


Locked