Site-to-Site IPsec - Both PFsense 2.0 Release tunnel drops after some time idle
-
I have 2 pfsense boxes both 2.0 release with dynamic ip (i use no-ip). They both connect via IPsec correctly and data is sent over the tunnel both ways perfectly. The majority of the time that the tunnel is left idle though traffic just wont start going through it again (sometimes it does). i tried everything and would much appreciate some help!
One of the routers is dual wan (Ipsec tunnel is on the secondary WAN not default)
is there any way i could increase the lifetime of the tunnel? I would like it to be always on and instant like PPTP for instance?
Much appreciated!
-
Some more info: The router with multi wan after the first tunnel drop shows 3 SAs while the other one still has 2 SAs. I have checked prefer older SAs but this still keeps happening.
-
here's an excerpt of racoon's log during a period of idle time
Oct 1 00:25:05 racoon: [Unknown Gateway/Dynamic]: ERROR: pfkey DELETE received: ESP X.X.X.X[500]->X.X.X.X[500] spi=149865750(0x8eec516)
Oct 1 00:25:02 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=191046787(0xb632483)
Oct 1 00:25:02 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=217404996(0xcf55644)
Oct 1 00:25:02 racoon: [SITE2]: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Oct 1 00:24:54 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=149865750(0x8eec516)
Oct 1 00:24:54 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=147191536(0x8c5f6f0)
Oct 1 00:24:54 racoon: [SITE2]: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Oct 1 00:10:47 racoon: [SITE2]: INFO: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->X.X.X.X[500] spi=151215834(0x9035eda)
Oct 1 00:10:47 racoon: [SITE2]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->X.X.X.X[500] spi=264718127(0xfc7472f)
Sep 30 23:22:49 racoon: ERROR: pfkey DELETE received: ESP X.X.X.X[500]->X.X.X.X[500] spi=249948619(0xee5e9cb)
Sep 30 23:22:46 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=264718127(0xfc7472f)
Sep 30 23:22:46 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=151215834(0x9035eda)
Sep 30 23:22:46 racoon: [SITE2]: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Sep 30 23:22:40 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=249948619(0xee5e9cb)
Sep 30 23:22:40 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=175102881(0xa6fdba1)
Sep 30 23:22:40 racoon: [SITE2]: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Sep 30 23:08:32 racoon: [SITE2]: INFO: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->X.X.X.X[500] spi=138644480(0x8438c00)
Sep 30 23:08:32 racoon: [SITE2]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->X.X.X.X[500] spi=222367625(0xd410f89)
Sep 30 22:20:34 racoon: ERROR: pfkey DELETE received: ESP X.X.X.X[500]->X.X.X.X[500] spi=240815526(0xe5a8da6)
Sep 30 22:20:31 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=222367625(0xd410f89)
Sep 30 22:20:31 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=138644480(0x8438c00)
Sep 30 22:20:31 racoon: [SITE2]: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Sep 30 22:20:26 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=240815526(0xe5a8da6)
Sep 30 22:20:26 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=54177470(0x33aaebe)
Sep 30 22:20:26 racoon: [SITE2]: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Sep 30 22:06:53 racoon: ERROR: X.X.X.X give up to get IPsec-SA due to time up to wait.
Sep 30 22:06:23 racoon: [SITE2]: INFO: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->X.X.X.X[500] spi=2916835(0x2c81e3)
Sep 30 22:06:23 racoon: [SITE2]: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Sep 30 22:06:23 racoon: [SITE2]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->X.X.X.X[500] spi=230696136(0xdc024c8)
Sep 30 22:06:16 racoon: [SITE2]: INFO: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->X.X.X.X[500] spi=46582079(0x2c6c93f)
Sep 30 21:23:26 racoon: ERROR: pfkey DELETE received: ESP X.X.X.X[500]->X.X.X.X[500] spi=178744507(0xaa76cbb)
Sep 30 21:18:22 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=230696136(0xdc024c8)
Sep 30 21:18:22 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=2916835(0x2c81e3)
Sep 30 21:18:15 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=178744507(0xaa76cbb)
Sep 30 21:18:15 racoon: [SITE2]: INFO: IPsec-SA established: ESP X.X.X.X[500]->X.X.X.X[500] spi=46582079(0x2c6c93f)
Sep 30 21:18:15 racoon: [SITE2]: INFO: respond new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Sep 30 21:18:12 racoon: [SITE2]: INFO: initiate new phase 2 negotiation: X.X.X.X[500]<=>X.X.X.X[500]
Sep 30 21:05:07 racoon: [SITE2]: INFO: IPsec-SA expired: ESP/Tunnel X.X.X.X[500]->X.X.X.X[500] spi=175593561(0xa775859)
Sep 30 21:05:07 racoon: [SITE2]: INFO: IPsec-SA expired: ESP X.X.X.X[500]->X.X.X.X[500] spi=1543384(0x178cd8) -
I hope everyone follows my example and posts solutions to frustrating problems they encounter like I am doing (even if they do not receive any help). To resolve this issue disable NAT-T (when pfsense holds the public IP). If that still does not help disable DPD and set 'Negotiation Mode' in Phase 1 to main (pfsense is at both ends in my scenario).