Odd IPSec Issue
-
Hi,
I currently have a LAN-LAN IPSEC VPN setup between 2 Drayteks. One in my DC and one at a school i support. The outbound ipsec i beleive will be NAT'd through the LEA Firewall, all is well and has been for a while.
We're migrating our Draytek to a pfsense cluster and all has been well with IPSec so far, appart from this connection. The customer's tunnel establishes with our pfsense (Still Draytek their end) and passes data no problem. The Security Associations show ESP-UDP rather than just ESP as per the other connections.
The connection will go up for around 24 hours and will then stop passing data completely (the tunnel is still established). When i check the SAD Table i can see multiple Security Associations for this tunnel, nothing will then cause the tunnel to pass data, appart from a reboot of pfsense, which isnt feasible as its live.
I remember 1.2.3 used to do this with all IPSec, im now running 2.0.1-RELEASE on ApplianceShop Hardware (Core2Quad with 6Gb RAM) and generally connections are fine and stable.
I've switched the customer back to terminate on the Draytek for now, but any thoughts on this would be appreciated.
Many thanks
Steve
-
Hi,
I currently have a LAN-LAN IPSEC VPN setup between 2 Drayteks. One in my DC and one at a school i support. The outbound ipsec i beleive will be NAT'd through the LEA Firewall, all is well and has been for a while.
We're migrating our Draytek to a pfsense cluster and all has been well with IPSec so far, appart from this connection. The customer's tunnel establishes with our pfsense (Still Draytek their end) and passes data no problem. The Security Associations show ESP-UDP rather than just ESP as per the other connections.
The connection will go up for around 24 hours and will then stop passing data completely (the tunnel is still established). When i check the SAD Table i can see multiple Security Associations for this tunnel, nothing will then cause the tunnel to pass data, appart from a reboot of pfsense, which isnt feasible as its live.
I remember 1.2.3 used to do this with all IPSec, im now running 2.0.1-RELEASE on ApplianceShop Hardware (Core2Quad with 6Gb RAM) and generally connections are fine and stable.
I've switched the customer back to terminate on the Draytek for now, but any thoughts on this would be appreciated.
Many thanks
Steve
Does your tunnel endpoint have a public ip? I had similar kind of issue when I got one tunnel endpoint with public ip and other endpoint with private ip (NAT used by ISP) - I managed to get tunnel working for while but reconnect failed all the time. FIX: I just got public ip for both ends and problems gone!
-
Yes it definitely has a static IP which doesnt change. The Draytek to Draytek IPSEC is fine. It seems that the security associations arent being cleared out and therefore although the tunnel will establish it wont pass data, but only seems to be for tunnels behind NAT.
Any more thoughts anyone?
-
Yes it definitely has a static IP which doesnt change. The Draytek to Draytek IPSEC is fine. It seems that the security associations arent being cleared out and therefore although the tunnel will establish it wont pass data, but only seems to be for tunnels behind NAT.
Any more thoughts anyone?
yes - BUT is it PUBLIC IP?
It works even with dynamic ip if you use DDNS service also.