How can I automatically release/renew an IPsec tunnel?



  • I have a site-to-site IPsec tunnel that connects our office to a hosted Windows 2003 server; our people use Terminal Services/RDP to run the critical app.  I have no control over the other end of the VPN (I'm not even sure what I'm connecting to - Cisco, Linksys, SonicWall - could even be another pfSense box, but I doubt it…  ;) )

    Every once in a while, the tunnel stops passing data.  No error messages, the IPSec status page looks good - but RDP stops working and I can't ping through.  I have no idea whether the problem is at my end or at the hosting company's end.  However, I can fix it by dropping the tunnel and restoring it again - it reconnects in 5 seconds or less, and everybody can go back to work.

    I've been doing this by going to the VPN/IPsec page, unchecking the box, clicking Save, waiting for the browser to refresh, re-checking the box, and clicking Save again.  As I say, it fixes the problem instantly... but someone has to tell me that the tunnel is down, and I have to be in a place where I can get to a browser.  I feel in my bones that there must be some way to set up a guardian script or daemon to do this automatically - but I'm a rank n00b when it comes to BSD.  Can somebody help a brother out?

    I'm using pfSense v.1.01 Release.  If more detail is necessary, I can provide it.  I think the actual parameters of the tunnel are fine, since it connects instantly and can work for days at a time, but if I'm being too hasty about that, I can provide those details as well.



  • At work we use some pfSense boxes with IPSEC, and i know that IPSEC tunnels are automatically restored for example if the connection droppes(we have some bad WAN connections).
    However, we're not using 1.01 release(because it has no IPSEC filtering), but 1.01 snaphosts later then 02-27-2007, or even 1.2 snaphosts(which seems perfectly stable for the things we do with it).
    IPSEC in pfsense inproved a lot since 1.01.



  • Click "Save" on the VPN -> IPSEC screen to reset IPSEC.  Or use Status -> Services to restart.



  • @sullrich:

    Click "Save" on the VPN -> IPSEC screen to reset IPSEC.

    I'm already doing this - I un-check the "Enable IPSec" box, Save, then re-check the box and Save again.  Are you saying that I can just click Save without making any changes, and it will reset?  That would save a few seconds when I'm under pressure…

    @sullrich:

    Or use Status -> Services to restart.

    How would that work?  On the Status -> Services page I only see two entries:  "dnsmasq" and "dhcpd".

    Again, though, what I'm looking for is some way to do this automatically, preferably BEFORE any of the users notice there's a problem…



  • @YoMarK:

    At work we use some pfSense boxes with IPSEC, and i know that IPSEC tunnels are automatically restored for example if the connection droppes(we have some bad WAN connections).
    However, we're not using 1.01 release(because it has no IPSEC filtering), but 1.01 snaphosts later then 02-27-2007, or even 1.2 snaphosts(which seems perfectly stable for the things we do with it).
    IPSEC in pfsense inproved a lot since 1.01.

    On July 3rd I upgraded to the latest 1.2 snapshot.  Today (July 5th) I got my usual early-morning call that the VPN was down.

    Here's a screenshot of my VPN settings, if it helps…




  • If you get drops, something isn't matched up right to what's on the other side. Showing what pfsense is configured as is of no help without details on how the other end is configured.



  • i've been having same issues alot but after cmd and hoba suggested to check settings i found that lifetime on all routers if off. after adjustment everything works greate… but you gonna have to get settings from the other end of the tunnel to match them on your end.


Log in to reply