Pfsense IPsec: no traffic after WAN timeout.
Currently I am experiencing some problems with VPN (IPsec) connections between Pfsense and other
routers. The problem mainly occurs when there is a (slight) timeout between the VPN endpoints,
after the connection is reestablished VPN on both sides are “up” but there is no traffic passing
the tunnel. The problem can be solved by disabling and enabling IPsec (restarting Racoon) or by
disabling en enabling the Phase 1 entry of the troubling connection.
I am using the following router combinations and settings:
- Pfsense - Cisco 1921.
- Pfsense - Bintec R3002.
- Pfsense - Draytek 2930.
- Pfsense - Juniper SSG5.
- Encryption: 3DES/SHA1
- Main mode
- Lifetime: 28800
- DH: 2
- Encryption: 3DES/MD5
- PFS: off
The most research is done with the Bintec R3002, both endpoints are connected directly to the
internet without NAT networks between them.
I’ve tried different settings with different outcomes:
- Tried Prefer older Ipsec SA’s, which does help when rekeying but doesn’t fix the problem.
- Tried DPD on and off, no difference.
- Tried forced NAT-T which seems to cause different behavior. With NAT-T enabled the Pfsense
does detect when a Ipsec connection is “broken” without NAT-T the connection keeps the status
“UP” even when the connection on the other side is disabled. In other words Pfsense doesn’t seem to detect a broken VPN connection (DPD doesn’t work??).
With NAT-T enabled Pfsense does detect a broken VPN connection but when the connection is
reestablished no traffic is passing the tunnel.
When I connect the Bintec to the Draytek (IPSEC) on the same WAN links the connections are stable.
When I disconnect the WAN links on purpose the VPN traffic resumes some 30 seconds after the WAN link is connected again.
For some reason this doesn’t seem to well in my scenario, does anyone have experience with this
problem or have any idea how to solve this and how to create stable VPN connections with Pfsense?