Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ping in one direction between hosts fails to open a tunnel

    IPsec
    2
    2
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      Ignatius
      last edited by

      I'd like to implement an IPSec VPN between two pfSense installations, each behind a Draytek 2820 router.  In anticipation of doing it for real, I've set up two VMs using VirtualBox to aid my learning process.

      The pfSense installations are the most recent (2.0.2).  The "Main Office" LAN is 192.168.3.0 / 24 and the "Remote Office" LAN is 192.168.4.0 / 24 so the respective LAN interfaces of the pfSense boxes are .1.  I have an XP VM (192.168.3.2 / 24) and an Ubuntu VM (192.168.4.2 / 24). The WAN interfaces are 69.46.80.101 / 24 and 69.46.80.102 / 24.

      I have configured the IPSec and can ping between the hosts, however if I ping initially from the Ubuntu (192.168.4.2), the tunnel comes up immediately and responses are seen from the XP (192.168.3.2) but if I close down the terminals then start the ping from the XP side, it may start or it may not (Request timed out).  If I start it soon after successful pings between the two systems, it usually starts immediately but if I leave it for several minutes, the tunnel just won't come up when pinged from the 192.168.3.0 side.  As soon as I start the ping from the 192.168.4.0 side, there are responses from both sides.  It's as if the tunnel times out and can be opened only by traffic from the 192.168.4.0 side.

      When I configured the VPN, in phase 2, I set the timeout to be 3600 seconds on both sides and set it to automatically ping the host at the other end of the tunnel so surely the tunnel should remain open?

      I hope I've explained the situation sufficiently.  Can anyone suggest what I am doing wrong?  As I said, this is a "dry run" for when I do it for real.

      Thanks for your time (and patience!).

      1 Reply Last reply Reply Quote 0
      • J
        jonallport
        last edited by

        What do you have on your Phase1 proposal checking?  If it's 'default' or 'strict' try changing it to 'obey'.

        From man racoon.conf(5):

        proposal_check level
            specifies the action of lifetime length and PFS of the phase 2 selection on the responder side. The default level is strict If the level is;

        obey
                the responder will obey the initiator anytime.
            strict
                If the responder's length is longer than the initiator's one, the responder uses the initiator's one. Otherwise it rejects the proposal. If PFS is not required by the responder, the responder will obey the proposal. If PFS is required by both sides and if the responder's group is not equal to the initiator's one, then the responder will reject the proposal.
            claim
                If the responder's length is longer than the initiator's one, the responder will use the initiator's one. If the responder's length is shorter than the initiator's one, the responder uses its own length AND sends a RESPONDER-LIFETIME notify message to an initiator in the case of lifetime. About PFS, this directive is same as strict
            exact
                If the initiator's length is not equal to the responder's one, the responder will reject the proposal. If PFS is required by both sides and if the responder's group is not equal to the initiator's one, then the responder will reject the proposal.

        The way I interpreted this for my troubleshooting was that if 'default/strict' are in force and the remote end reboots, the local end will ignore then incoming IKE until it own key lifetime expires.  Whether that's right or not, it worked for me and the Cisco ASA I was having as spat with!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.