How to make ipsec tunnel to be established automatically if dropped?



  • Hi there,

    I have a WAN link that once in a while is dropping and the ipsec tunnels drops too, but then I need to manually click on the play button on ipsec status to establish it again.

    Is there an option to select to re establish the connection when dropped?

    Thanks!



  • I think this is the option for this

    Dead Peer Detection Enable DPD

    seconds
    Delay between requesting peer acknowledgement.

    retries
    Number of consecutive failures allowed before disconnect.

    I'm testing it at the moment, but I would like to ensure for example if I reboot the firewall the tunnels will be re established automatically as well



  • Well that was the option that I was also looking for that we can find on watchguard firewalls:

    Send IKE Keep Alive Messages
    Keep alive interval seconds

    Enable Dead Peer Detection
    Maximum DPD attempts
    DPD Timeout

    Do we have this IKE keep alive messages on pfsense?



  • Was this ever answered definitively? I also have to click the "play" button from time to time. Not sure why. Is there a way to auto-restart the tunnel? (pfSense 2.0.3)



  • @luckman212:

    Was this ever answered definitively? I also have to click the "play" button from time to time. Not sure why. Is there a way to auto-restart the tunnel? (pfSense 2.0.3)

    No, but it has rarely happened now. I'm alsu using 2.0.3 and so far I don;t remember last time I had to click on "play"



  • I just upgraded a couple of these to 2.0.3
    will see how it goes.  working nicely so far  :D


  • Rebel Alliance Developer Netgate

    The tunnel will establish itself when traffic is seen on the tunnel. There are three ways to make that happen:

    1. Something behind the firewall sends traffic to the other end of the tunnel.
    2. You fill in the "automatically ping host" in the Phase 2 config with an IP inside the other end of the tunnel
    3. You click the "connect" button which just sends a ping to an IP in the far side of the Phase 2.

    In the case of #2 and #3, it requires the firewall to have an IP address on it that is inside of the local phase 2 network to function.

    There isn't really any need to keep the tunnel up in most cases, it will come up on its own when something wants to use it.



  • Ah, didn't know any of that – thanks for the clarification. Good to know about the pings bringing up the tunnel!


Log in to reply