Telnet idle and Ipsec woes.



  • This might not be related to Ipsec specifically, but Ipsec is involved and I don't know where else to put it.

    Background

    I have two pfsense boxes, one for building the tunnel and another to NAT traffic before it gets to the pfsense box that builds the tunnel.(This is because as far as I know pfsense can't NAT on Ipsec interface, if this can be done please let me know!)

    Below is a link to a brief diagram of how things are setup.
    http://i.imgur.com/htqjE.jpg

    The 172.16.x.x pfsense box is the main firewall for the network, it handles Internet connectivity, and connections from OpenVPN roadwarrior clients. It also has a route in it to forward any traffic for 10.40.x.x out it's OPT interface of 10.50.x.x, as well as a few other IPSEC tunnels that all work fine. The 172.16.x.x pfsense box also NATs all traffic going out it's OPT interface onto the 10.50.x.x network.

    The 10.50.x.x pfsense box only has one job. The tunnel to the 10.40.x.x endpoint. This tunnel has been giving me issues, but I think that is due to mismatched lifetimes and DPD and is not the focus of this thread.

    The Problem

    Clients on the 172.16.x.x network run a telnet application to a server at the 10.40.x.x Ipsec endpoint. Before the pfsense boxes existed there was a Cisco that acted as the firewall and the ipsec gateway to the 10.40.x.x endpoint. When it was setup like this it would take upwards of 1 hour for the telnet clients to timeout.

    Now the clients can get timed out much quicker, and at random intervals(or so I'm being told). I've set both firewalls to 'conservative' mode which seemed to help, but they still get dropped sometimes with 10 minutes.

    Could it be something with the NAT? Could it be the fact that a flock of pigeons flies overhead? I'm lost here. Any direction or advise would be wonderful.

    Thank you.


Log in to reply