[repeat post]can't re-create ipsec tunnel automatically after peer side poweroff



  • Dear all,

    Because I can't reply my own post below, so I post a new one:

    We are using one M0n0wall Box(using M0n0wall ver. 1.22) in city A, and in city B we have one Dlink OFL 300 box create one IPSEC tunnel (as mobile ipsec) to that M0n0wall in City A, the tunnel works well; then after that Dlink box power off for some reason, Dlink box can not create that IPSEC tunnel to City A again automatically, only after releasing SA of that old tunnel on M0n0wall box of City A, Dlink can create one IPSEC tunnel to M0n0wall again. This is the problem.

    I am not sure if it is about Dead peer detection (DPD) of IPSEC. I know Pfsense is very simliar to m0nowall, so I posted my problem here. Could you help to look into this problem?

    My problem is: Could Pfsense fix such problem?

    Any hint, comment or suggestion will be highly appreciated!

    Merry Christmas!

    Jian



  • I've got a similar issue betwen a Linksys BEFVP41 V2 and my PFSense box.  I had a similar problem when I was running Monowall.  The best solution I have found is to keep traffic in the tunnel so it either doesn't drop.  I have found that something as simple as a ping running from the PFSense end will either keep the tunnel up, or bring it back up if it drops.  The keep alive option doesn't seem to do anything for me so I keep a ping process running from a box on the network.  As long as I have traffic the tunnel stays alive, but if it dies I can only bring it back up from the PFSense end.



  • 1.2 has a option to automatically ping the other end of the tunnel.

    If your not running 1.2 you are highly encouraged to upgrade.  1.0.1 has a lot of known issues.



  • I know about the option to ping the other end of the tunnel.  It hasn't worked for me through 1.2RC2.  I just upgraded to RC3 today so I'll see if it works now.  Otherwise I just keep a terminal window open w/ ping running.



  • I had a similiar problem with a IPSEC VPN tunnel.  I enabled the keep alive on both ends of the tunnel and have not had any trouble at all.  Also I had to make sure that the ICMP port was open so that the ping could pass throught the tunnel.
    RC


Log in to reply