Pfsense Fibre Ipsec tunnel issue



  • Hi there,

    We have recently started converting some of our sites onto fibre connection as it becomes available in our area's. So far we have done 2 seperate sites and on both sites I am experiencing the same issue.

    On our normal setups our Pfsense boxes are connected to a router that connects out. The router taking 1 of our public IP addresses and one ethernet card on the Pfsense box taking the 2nd (Red interface).
    We then have 2 more ethernet cards on the pfsense (one for local lan, one for untrusted lan). Now on the Pfsense box we have set  it to have a phase 1 Ipsec tunnel and then 3 phase 2 tunnels. Those 3 tunnels being the local lan, untrusted lan and then one to allow external contractors to remote into the untrusted lan.

    Thats all been fine in the past, however, now when we are on Fibre that Red tunnel does not come online. The other 2 do fine, but just not that one for external support.

    This is the same if I use a router or if I plug the pfsense box directly into the Modem and let the Pfsense make the PPPOE connection.

    Any ideas why this might be?

    There are no traffic shapers in play, nothing that I can see that would stop it. And if I plug it back into an ADSL connection it then works fine.

    The tunnels are using

    P2 Protocol  P2 Transforms          P2 Auth Methods 
    ESP                  AES (auto), 3DES    SHA1

    But I have tried them using AH for the P2 protocol as well, same result.

    Also, We had another site go onto Fibre recently and when it went online all 3 of it's Ipsec tunnels were online and well.

    I compared it side by side with another site that only had 2/3 tunnels up and as far as I could tell they were identical apart from the fact that one of it's redundant Ipsec tunnels (were used for failover in the past but are since redundant) that is disabled had SHA1 and MD5 as authentication methods as well as on the recieving end of the Ipsec the exchange was set to Automatic.
    I tried replicating that since on the 2/3 firewall but still the same result.

    Now, even stranger. After about a week or 2 of those 3 tunnels being up it has now only got 2/3 tunnels up itself!

    Anybody got any suggestions on this strangeness?

    Oh and I have tried this on 2.1-RELEASE (i386) as well as 2.0-BETA5 (i386



  • No suggestions?

    Strangely, the site that had all 3 tunnels up originally and then that went to only 2 tunnels up we had a power cut on the site and after a reboot all 3 tunnels come back.



  • And now after 2 days that same server only has 2 tunnels up.

    Is there perhaps some timeout setting for an Ipsec tunnel or some routine which should automatically try bring the tunnel back up if it drops off?