Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec: tunnel up, no traffic

    2.1 Snapshot Feedback and Problems - RETIRED
    4
    8
    2423
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • rcfa
      rcfa last edited by

      This seems to happen every so often: on the Dashboard, everything looks fine: racoon running, tunnel in the IPSec widget shown as up, etc.

      But I have no connectivity to the internet (Note: all my traffic is routed through the IPSec tunnel to the public internet, remote network is given as 0.0.0.0/0)

      Once I notice it, it's a quick and easy fix: web GUI to IPSec. Disable IPSec, save, enable IPSec, save => connectivity is back.

      The question is: how can I help track down what's causing this, so it can be fixed?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        Probably you need to toggle "prefer old IPsec SA" under System > Advanced on the Misc tab.

        If you go to Status > IPsec on the SAD tab, you probably have multiples, and the data count is probably increasing on the one you don't want to be using…

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • rcfa
          rcfa last edited by

          @jimp:

          Probably you need to toggle "prefer old IPsec SA" under System > Advanced on the Misc tab.

          Hm, I originally had that checked. Then when the problem kept popping up, I unchecked it. Still the same.
          Also thought it might have to do with dead peer detection, so I turned that on, still happening.
          Thing is, I change something, and then it's not happening for a day or two, and I think I nailed it, and then, boom, there it is again.
          So it's not happening all that frequently, but it does. Also thought it might have to do with the WAN address changing, since it's DHCP, but then I checked my DynDNS entry, and that's current, and not changed in a few days, so that address didn't change, either.

          Still, next time it happen, I'll check if there's more than one SA listed, just to make sure.

          1 Reply Last reply Reply Quote 0
          • marcelloc
            marcelloc last edited by

            Try to disable monitor ip on gateway config. I had problems with it once.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • rcfa
              rcfa last edited by

              @marcelloc:

              Try to disable monitor ip on gateway config. I had problems with it once.

              You're talking about the "Disable Gateway Monitoring" option on the WAN gateway, and not something that's part of the IPSec settings, right?

              I'll try that….

              ...or I could set an alternate monitor IP pointing to the IPSec peer, rather than to the regular gateway address.

              1 Reply Last reply Reply Quote 0
              • rcfa
                rcfa last edited by

                Interesting…
                ...bug?

                I have an IPv4 gateway, DHCP, so the following settings are active:
                Interface: WAN
                Name: WAN_DHCP
                Gateway: dynamic
                Default Gateway: checked
                Disable Gateway Monitoring: unchecked
                Monitor IP: some IPv4 address, that's the remote end of my IPSec connection

                => Error message:
                "The following input errors were detected: The monitor address 'nnn.nnn.nnn.nnn' is a different Address Family then gateway 'dynamic'."

                I think not! An IPv4 address clearly isĀ  the same Address Family as my IPv4 gatway, I would think. Heck, I have even IPv6 completely disabled, still.

                So I have the option of keeping the monitor IP field empty (which it was until now), or just disable it completely, which is what I'll try next.

                1 Reply Last reply Reply Quote 0
                • D
                  databeestje last edited by

                  that message should have been fixed by now.

                  1 Reply Last reply Reply Quote 0
                  • rcfa
                    rcfa last edited by

                    OK, error message is gone, that's the good part.

                    Still have to reboot the system a second time after an upgrade to get VoIP going, web browsing and such works without an extra reboot, so it seems to have to do with UDP traffic???

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post