IPsec connections dropping - prefer older IPsec SAs per connection?



  • I've got a pfSense system with about 12 different VPN endpoints. Nearly all of them work very reliably except for one, which goes down for a consistent amount of time shortly after renegotiating a new phase 2 IPsec-SA, for example this will show in the logs (log sanitized a bit, 192.168.1.98 is the pfSense box, 10.28.28.136 is the remote box):

    May 13 11:53:44	racoon: [Development VPN]: INFO: IPsec-SA established: ESP 192.168.1.98[500]->10.28.28.136[500] spi=567741818(0x21d70d7a)
    May 13 11:53:44	racoon: [Development VPN]: INFO: IPsec-SA established: ESP 192.168.1.98[500]->10.28.28.136[500] spi=37852164(0x2419404)
    May 13 11:53:44	racoon: [Development VPN]: INFO: IPsec-SA expired: ESP/Tunnel 10.28.28.136[500]->192.168.1.98[500] spi=230890120(0xdc31a88)
    May 13 11:53:44	racoon: [Development VPN]: INFO: initiate new phase 2 negotiation: 192.168.1.98[500]<=>10.28.28.136[500]
    May 13 11:53:44	racoon: [Development VPN]: INFO: IPsec-SA expired: ESP 192.168.1.98[500]->10.28.28.136[500] spi=675024250(0x283c0d7a)
    

    I believe that the "Prefer older IPsec SAs" is the default now, isn't it? Anyway, it's on on this this endpoint and the other 11 VPNs work fine - so it seems that it would be useful if one could disable that option on a single VPN that would be useful, is that possible?

    Any other suggestions to try here?



  • BTW, this is a pfSense 2.0.3 box…



  • It's not the default currently for new configs, and should probably not be enabled at all. It's not likely to hurt your other connections to change it.



  • @cmb:

    It's not the default currently for new configs, and should probably not be enabled at all. It's not likely to hurt your other connections to change it.

    Really? I had a test machine here with 2.0.2 and performed a reset to defaults and it was still checked after that before I started this thread. Did that change in 2.0.3?

    Or does resetting to default not really reset the box fully back to default settings? I will check again…

    Ermal also seems to recommend turning this option on as one of the first recommendations for troubleshooting flaky connections as well if it isn't already from searching the forum...

    Edit:

    I did a fresh install using 2.0.2 x86_64 and 2.0.3 i386 - both had <preferoldsa>in the config file and the option was checked through the web interface. Interestingly, I was looking at one of our firewalls and it also had a slightly different spelling of the config value <preferredoldsa>, perhaps left over from a previous upgrade?

    BTW - when changing the setting, does anything else need to be done to have it take effect? Nothing seems to show up in the logs, at least with regards to racoon/ipsec.</preferredoldsa></preferoldsa>


  • Rebel Alliance Developer Netgate

    It was removed from 2.1 as a default, it was still the default on 2.0.3, but not after.



  • OK, so what's the recommended setting here for 2.0.3? It seems to make sense to not enable it as set in 2.1

    Is it possible to change the setting on a per-connection basis? I seem to have connections that prefer it to be on and some that prefer it to be off. And I suspect that having multiple connections with different settings will lead to some IPsec connections dropping regularly.

    It's a bit frustrating as I have some IPsec connections that insist on dropping traffic fairly regularly and it always seems to happen right after negotiating a new phase2 connection. Restarting the connection manually (disable/enable) will bring it back up right away, or waiting long enough for one side to expire another phase2 connection will work…


  • Rebel Alliance Developer Netgate

    It should be disabled. It just didn't get disabled on 2.0.3 before it shipped.

    You can't change it per connection, it's a global setting.


Locked