Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense IPsec: no traffic after WAN timeout.

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LuukB
      last edited by

      Hello,

      Currently I am experiencing some problems with VPN (IPsec) connections between Pfsense and other
      routers. The problem mainly occurs when there is a (slight) timeout between the VPN endpoints,
      after the connection is reestablished VPN on both sides are “up” but there is no traffic passing
      the tunnel. The problem can be solved by disabling and enabling IPsec (restarting Racoon) or by
      disabling en enabling the Phase 1 entry of the troubling connection.

      I am using the following router combinations and settings:

      • Pfsense - Cisco 1921.
      • Pfsense - Bintec R3002.
      • Pfsense - Draytek 2930.
      • Pfsense - Juniper SSG5.

      Phase 1:

      • Encryption: 3DES/SHA1
      • Main mode
      • Lifetime: 28800
      • DH: 2

      Phase 2:

      • Encryption: 3DES/MD5
      • PFS: off
      • ESP

      The most research is done with the Bintec R3002, both endpoints are connected directly to the
      internet without NAT networks between them.

      I’ve tried different settings with different outcomes:

      • Tried Prefer older Ipsec SA’s, which does help when rekeying but doesn’t fix the problem.
      • Tried DPD on and off, no difference.
      • Tried forced NAT-T which seems to cause different behavior. With NAT-T enabled the Pfsense
        does detect when a Ipsec connection is “broken” without NAT-T the connection keeps the status
        “UP” even when the connection on the other side is disabled. In other words Pfsense doesn’t seem to detect a broken VPN connection (DPD doesn’t work??).
        With NAT-T enabled Pfsense does detect a broken VPN connection but when the connection is
        reestablished no traffic is passing the tunnel.

      When I connect the Bintec to the Draytek (IPSEC) on the same WAN links the connections are stable.
      When I disconnect the WAN links on purpose the VPN traffic resumes some 30 seconds after the WAN link is connected again.
      For some reason this doesn’t seem to well in my scenario, does anyone have experience with this
      problem or have any idea how to solve this and how to create stable VPN connections with Pfsense?

      Kind regards,
      Luuk

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.