IPSec: tunnel up, no traffic



  • This seems to happen every so often: on the Dashboard, everything looks fine: racoon running, tunnel in the IPSec widget shown as up, etc.

    But I have no connectivity to the internet (Note: all my traffic is routed through the IPSec tunnel to the public internet, remote network is given as 0.0.0.0/0)

    Once I notice it, it's a quick and easy fix: web GUI to IPSec. Disable IPSec, save, enable IPSec, save => connectivity is back.

    The question is: how can I help track down what's causing this, so it can be fixed?


  • Rebel Alliance Developer Netgate

    Probably you need to toggle "prefer old IPsec SA" under System > Advanced on the Misc tab.

    If you go to Status > IPsec on the SAD tab, you probably have multiples, and the data count is probably increasing on the one you don't want to be using…



  • @jimp:

    Probably you need to toggle "prefer old IPsec SA" under System > Advanced on the Misc tab.

    Hm, I originally had that checked. Then when the problem kept popping up, I unchecked it. Still the same.
    Also thought it might have to do with dead peer detection, so I turned that on, still happening.
    Thing is, I change something, and then it's not happening for a day or two, and I think I nailed it, and then, boom, there it is again.
    So it's not happening all that frequently, but it does. Also thought it might have to do with the WAN address changing, since it's DHCP, but then I checked my DynDNS entry, and that's current, and not changed in a few days, so that address didn't change, either.

    Still, next time it happen, I'll check if there's more than one SA listed, just to make sure.



  • Try to disable monitor ip on gateway config. I had problems with it once.



  • @marcelloc:

    Try to disable monitor ip on gateway config. I had problems with it once.

    You're talking about the "Disable Gateway Monitoring" option on the WAN gateway, and not something that's part of the IPSec settings, right?

    I'll try that….

    ...or I could set an alternate monitor IP pointing to the IPSec peer, rather than to the regular gateway address.



  • Interesting…
    ...bug?

    I have an IPv4 gateway, DHCP, so the following settings are active:
    Interface: WAN
    Name: WAN_DHCP
    Gateway: dynamic
    Default Gateway: checked
    Disable Gateway Monitoring: unchecked
    Monitor IP: some IPv4 address, that's the remote end of my IPSec connection

    => Error message:
    "The following input errors were detected: The monitor address 'nnn.nnn.nnn.nnn' is a different Address Family then gateway 'dynamic'."

    I think not! An IPv4 address clearly is  the same Address Family as my IPv4 gatway, I would think. Heck, I have even IPv6 completely disabled, still.

    So I have the option of keeping the monitor IP field empty (which it was until now), or just disable it completely, which is what I'll try next.



  • that message should have been fixed by now.



  • OK, error message is gone, that's the good part.

    Still have to reboot the system a second time after an upgrade to get VoIP going, web browsing and such works without an extra reboot, so it seems to have to do with UDP traffic???


Locked