Site-to-site VPN static-IP - dynamic-IP fails after upgrade to 2.1



  • Hi together

    I had a site-to-site vpn working perfect for years. The pfsense has a static IP and the remote endpoint at home is a router with a dynamic PPPoE IP which is forcing a reconnection nightly at about 3am.

    After upgrading pfsense 2.0.x to 2.1 a week ago the ipsec tunnel is instable after the ip address change during the night.
    I didn't change anything else (I swear ;-)

    After the ip address change it seems to toggle up and down because something expires or in other words something is not in sync with the keys anymore!?

    In the logfile one can see this while IP addresses didn't change. This happens in different periods of 10 to 30 minutes.

    Do I have to configure something new or different in 2.1? It looks like SAs are not deleted when the IP address changes or something like that. But everything was fine in 2.0.x and I can't downgrade and I can't set it up new because it's a remote server site and I can't reach the VM without the tunnel.

    I hope someone can give me any advice?!

    Best regards
    Patrick

    –-schnipp---
    Oct  5 10:30:51 portal3 racoon: INFO: ISAKMP-SA established 62.214.x.x[500]-88.208.x.x[500] spi:ed274c72c4b16736:0cd55247109fe0c4
    Oct  5 10:30:53 portal3 racoon: INFO: IPsec-SA expired: ESP 62.214.x.x[500]->88.208.x.x[500] spi=740244044(0x2c1f3a4c)
    Oct  5 10:30:53 portal3 racoon: INFO: initiate new phase 2 negotiation: 62.214.x.x[500]<=>88.208.x.x[500]
    Oct  5 10:30:53 portal3 racoon: INFO: IPsec-SA expired: ESP/Tunnel 88.208.x.x[500]->62.214.x.x[500] spi=54489091(0x33f7003)
    Oct  5 10:30:53 portal3 racoon: WARNING: attribute has been modified.
    Oct  5 10:30:53 portal3 racoon: INFO: IPsec-SA established: ESP 62.214.x.x[500]->88.208.x.x[500] spi=195358710(0xba4eff6)
    Oct  5 10:30:53 portal3 racoon: INFO: IPsec-SA established: ESP 62.214.x.x[500]->88.208.x.x[500] spi=2138122800(0x7f712a30)
    Oct  5 10:42:51 portal3 racoon: INFO: ISAKMP-SA expired 62.214.x.x[500]-88.208.x.x[500] spi:1eb743ad5887e0de:9e414893890d19a9
    Oct  5 10:42:51 portal3 racoon: INFO: ISAKMP-SA deleted 62.214.x.x[500]-88.208.x.x[500] spi:1eb743ad5887e0de:9e414893890d19a9
    –-schnapp---



  • This is probably not the correct answer to your question but I have experienced the same issues with IPsec site to site as well, although my tunnel would be stable for a week or two. My fix was to switch to an OpenVPN site to site connection. Not sure if this is a option for you but give it a try, I have found that my throughput went up significantly where I'm not seeing any loss in upload speed from the encryption/decryption of packets ~2.5MBytes/s sustained (My Connection is 100/25).

    With regards to your IPsec tunnel I like to use dynamic DNS so that way if your remote site's IP address changes it shouldn't be a problem for your configuration. Could save you some money too not having to pay for a static from your ISP.



  • I saw a similar issue when I tested and upgrade to 2.1.  Solution for me was to simply rebuild the IPSEC meaning I removed all my old configs and recreated them.  After that they were stable however I only had it in place a week after that before I brought the production box online but it did solve my problems for that week.



  • I have created a bug in redmine for this:

    https://redmine.pfsense.org/issues/3321



  • This is broken again in 2.1.2



  • and in 2.1.4 i am sure. Although I would like to see the pfsense side config you guys are using to compare with what I have