PfSense 2.0.1 IPSec - Site-To-Site Problem (pfSense to pfSense)



  • Hello,

    System properties: 1 Head Office, 3 Store. Using all pfSense 2.0.1 IPSec VPN.
    IP Blocsk used:
    Head: 10.34.1.0/24
    Store 1: 10.34.2.0/24
    Store 2: 10.34.3.0/24
    Store 3: 10.34.4.0/24

    All Lifetime is: 28800
    NAT-T is: Closed
    Firewall ports is: Opened
    Prefer older IPsec SAs is: Checked
    VPN is: UP (Still down every 4 or 5 hours) need to restart Head Office racoon service.

    Head Office IPSec Tab:

    Stores IPSec Tab:

    VPN is working before aggresive mode but every 3-4 or 5 hour all sites vpn is down and change to main mode. Still same. I m check the head Office restart the racoon service all VPN come up again.

    Why my Site-to-Site VPN connections down is every 3-4 or 5 hour and why i need to still restart racoon service?
    How can i resolve this problem? Anyone have any information about that?

    Best Regards,
    Esat Kucukigridere






  • You do not want to prefer older SAs. Also double check your P1 and P2 lifetimes, they must match.



  • All Sites (Head and Stores) Prefer Older SAs must be unchecked?
    Yes, all P1 and P2 lifetimes matched and i m changed the 28800 value to the 86400.
    Additional info: DPD is enabled for all sites.

    After the uncheck all sites Prefer Older SAs give that error:
    (Now is looking VPN is UP, i m check again few hours later.)



  • Again down all sites =(

    After restart racoon service just HEAD Office come UP ALL SITES VPN AGAIN! =(

    How can i resolve this issue?



  • We had the same problem, eventually I gave up and replaced the central site box with a cisco asa 5510.

    Lex



  • @lexl:

    We had the same problem, eventually I gave up and replaced the central site box with a cisco asa 5510.

    Lex

    I m think that problem is just "racoon", because that is very old.
    pfSense admin is did not answer..



  • It's not a general problem.

    The "send error" message there seems to indicate you're hitting an issue between mpd and ipsec-tools with route removal when you have a misconfigured PPTP server. If your PPTP server's "server IP" is set to a WAN IP (which is wrong) a disconnecting PPTP client will cause issues with IPsec. Fixing the PPTP server to properly use a private IP as its server IP will fix that.



  • Yes that is true, we have PPTP and use same Public IP…
    I must assign different network private IP and port redirection for PPTP.
    I m never think about that PPTP between IPSec problem..

    Thanks, I m try and write results here.



  • Now i m added to Virtual IP (Lan Network) for PPTP Private IP.
    Changed PPTP Public IP to Private IP, NAT forwarding ports to new Private IP and test PPTP is working.

    Now waiting about IPSec…



  • That is problem SOLVED.
    Thanks cmb.

    Now IPSec working STABIL after the change PPTP PUBLIC IP to PRIVATE IP.


Log in to reply