IPsec tunnels passing no traffic showing green in status DPD
-
Just wondering if anyone else has come across this problem before. Running Pfsense 2.0.1 on 14 sites.
Each site is setup with all default values, the only information I have filled in was the hostname and preshared key. Phase 2 is the same only information that is filled in is the network subnet and the IP address to ping (I used the remote sides internal PFsense box ip here). Works fantastic when up.
So far I have had a few drops in where PFsense has no idea that the tunnel is actually dropped. Status shows green with no mention of any problems in the logs regarding the tunnel or DPD actually doing anything.
I have DPD setup with all default values 10 seconds, 5 retry. How long does this actually take to detect a problem?
These sites are connected with pretty reliable internet connections that rarely go down, most are even static sites. Is there better settings that could be used?
When I reset the IPsec services on the device all seems to be restored. I have been doing this though a public IP port forward for testing. On each side it still shows green minutes after the connection goes down.
I have done some googling and have come up with switching to main mode vs aggressive, disabling NAT-T and DPD. Has anyone had any luck with these suggestions?
-
Anyone?
-
Have you put Firewall rules in to allow traffic over the IPSec Interface at each site? I had this same issue the first time I set up IPSec tunnels with pfSense and it took a while to realize what needed to be done.
–
Seth -
These sites are connected with pretty reliable internet connections that rarely go down, most are even static sites. Is there better settings that could be used?
What is your setting of "Prefer older IPsec SAs" (System -> Advanced -> Miscellaneous -> IPsec) ?
Are you running PPTP server on the same machine ?
-
PFSENSE, NANOBSD, 2.0.1
I had the same problem, IPSEC tunnel was establised, all green, no traffic goes through.
When you look at SAD, SAD (Status,Ipsec, SAD)shows me multiple connections.
I think, the reason are short interrupts, Phase1 does not recognise the break, stays established, but Phase2 opens a new connection.
But this does not work.
My solution:
Change Mode from aggressive to main on both sides. (even with dynamic IPs)