Ipsec tunnels slow to come up

  • I have 2 sites connected via Ipsec tunnels.

    Phase 1 comes up almost immediately. Then 1/3 of the phase 2 tunnels comes up and the other 2 come up if you leave them for long enough.

    If I look at the logs I see the the Phase 1 negotiated and come up with the relevant and correct SPI's. But nothing in the logs about the other 2 tunnels that take their time to come up.

    All the SPD's are there for all 3 tunnels.

    Why would this be? Is there any way to force it to try bringing those tunnels up quicker?

  • One thing I have noticed is that with the one other tunnel that has a physical interface associated with it, if I go to the diagnostics page and send some pings from that interface, then that tunnel comes up almost immediately after that.

    With that last tunnel, if I send a ping from my main HQ network to that last tunnel IP, then that one comes up too!

    Is it a case of if Pfsense doesn't not detect traffic for that tunnel then it does not try to bring it up?

  • IPsec is dial-on-demand essentially, it won't come up until you send traffic matching a phase 2 to trigger it. That's why the keepalive IP exists in phase 2 entries, where the firewall has a local IP configured on the IPsec connection, it'll use it as the source to ping the remote IP defined in the P2 which will trigger negotiation of the VPN (doesn't matter whether the ping gets replies) to keep it connected all the time.

Log in to reply