IPSec connected but not passing traffic
-
I have no exact indication why your setup is not working but have you tried changing to MD5 instead of SHA1 in the proposal?
-
Thanks for the reply!
I forgot to close the issue. My apologies.
It turned out to be the underlying connection being flaky.However, if that does happen, the SAD state go out of sync and the tunnel becomes unusable (i.e. connection breaks for let's say 3 min, then IPSec might be unusable for another two hours before the SADs get synchronized again).
Has anyone else seen this issue?
-
namezero111111, what is your setting of
System -> Advanced -> Misc -> Security Assoc -> Prefer older IPsec SAs
?
-
namezero111111, what is your setting of
System -> Advanced -> Misc -> Security Assoc -> Prefer older IPsec SAs
?
If it's checked, uncheck it. It's almost never necessary. The last 3 IPsec issues along the lines of failing for a while where the config was otherwise correct have been caused by that, people seem to want to check it for some reason when it's virtually never desirable.
-
Thanks everybody and apologies for taking so long to reply.
I've tried both with Older Sas on and off, but neither seemed to be working better than the other.With DPD enabled, shouldn't the two endpoints resynchronize SAD states when one of them notices a dead peer?
-
With DPD enabled, shouldn't the two endpoints resynchronize SAD states when one of them notices a dead peer?
Yes, that's the best option to ensure neither end has old SAs.
-
Like I said, I tried that, but unfortunately we were still experiencing out of sync SAD states. We still have it enabled, but it looks like both sides see the dead peer and then generate new SADs on their own?
-
PFSENSE, NANOBSD, 2.0.1
I had the same problem, IPSEC tunnel was establised, all green, no traffic goes through.
When you look at SAD, SAD (Status,Ipsec, SAD)shows me multiple connections.
I think, the reason are short interrupts, Phase1 does not recognise the break, stays established, but Phase2 opens a new connection.
But this does not work.
My solution:
Change Mode from aggressive to main on both sides. (even with dynamic IPs) -
I have the same issue but I´m using Side-to-Client (Road Warriors).
I did my config based on this link: http://doc.pfsense.org/index.php/IPsec_for_road_warriors_in_PfSense_2.0.1_with_PSK_in_stead_of_xauthThe IPSEC tunnel was establised but I can´t se the other network (The gateway always is empty)
Ideias?
-
I have a problem with an IPSec tunnel where after any amount of time (sometimes 20 mins, sometimes hours or days), traffic will just stop flowing even though the tunnel is up. One side will show multiple SAD entries.
If I start deleting "unused" SADs, the tunnel will start working again. Obviously that isn't a solution.Here are some facts:
- Both sides running on 2.0.1-RELEASE (amd64) built on Mon Dec 12 18:43:51 EST 2011
- Both sides have "Prefer older SAs" in the advanced settings disabled (it used to be enabled but made no difference).
- DPD is enabled and I tried playing with the values as well as disabling it completely
- With DPD disabled, the tunnel stays stalled longer
Are you still having this problem ?
You might also want to check the discussion at the ipsec-tools-devel list:
http://marc.info/?l=ipsec-tools-devel&m=129842631426424&w=2