Tunnel On/Off



  • Hi,

    I'm using IPSec on two up-to-date pfSense firewalls.

    The first endpoint is static IP, the other is dynamic IP (which works fine through DynamicDNS).

    Unfortunately, the tunnel goes off after a couple of hours. And comes back after a couple of hours. And so on. It is not related to traffic in the tunnels nor to any manual activity. :o I've created a monitoring tool, so you are able to see what I mean:

    Both endpoints have additional IPSec tunnels which are stable. I already removed all entries an recreated the Phase1 and 2 entries- still the same. When the tunnel is up I have traffic between the two nets.

    I could post the IPSec log, but I'm not sure where to look for. I'll post the logfile from the dynamicDNS endpoint from some time where were issues:
    Anyone having an idea what's going on here?

    Jul 24 06:49:01 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->85.199.122.229[500] spi=92400436(0x581eb34)
    Jul 24 06:49:01 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->85.199.122.229[500] spi=242503995(0xe74513b)
    Jul 24 06:49:01 	racoon: [VPN EVS-NB (Fitflat)]: INFO: respond new phase 2 negotiation: 84.188.21.110[500]<=>85.199.122.229[500]
    Jul 24 06:49:01 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA expired: ESP/Tunnel 85.199.122.229[500]->84.188.21.110[500] spi=121942160(0x744b090)
    Jul 24 06:49:01 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA expired: ESP 84.188.21.110[500]->85.199.122.229[500] spi=213053030(0xcb2ee66)
    Jul 24 06:47:41 	racoon: [VPN Praxis]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->79.194.170.110[500] spi=49780221(0x2f795fd)
    Jul 24 06:47:41 	racoon: [VPN Praxis]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->79.194.170.110[500] spi=207496726(0xc5e2616)
    Jul 24 06:47:41 	racoon: [VPN Praxis]: INFO: IPsec-SA expired: ESP/Tunnel 79.194.170.110[500]->84.188.21.110[500] spi=240903362(0xe5be4c2)
    Jul 24 06:47:41 	racoon: [VPN Praxis]: INFO: initiate new phase 2 negotiation: 84.188.21.110[500]<=>79.194.170.110[500]
    Jul 24 06:47:41 	racoon: [VPN Praxis]: INFO: IPsec-SA expired: ESP 84.188.21.110[500]->79.194.170.110[500] spi=242687960(0xe771fd8)
    Jul 24 06:44:12 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->85.199.122.229[500] spi=129097826(0x7b1e062)
    Jul 24 06:44:12 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->85.199.122.229[500] spi=229955660(0xdb4d84c)
    Jul 24 06:44:11 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA expired: ESP/Tunnel 85.199.122.229[500]->84.188.21.110[500] spi=34710575(0x211a42f)
    Jul 24 06:44:11 	racoon: [VPN EVS-NB (Fitflat)]: INFO: initiate new phase 2 negotiation: 84.188.21.110[500]<=>85.199.122.229[500]
    Jul 24 06:44:11 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA expired: ESP 84.188.21.110[500]->85.199.122.229[500] spi=149388924(0x8e77e7c)
    Jul 24 06:44:11 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->85.199.122.229[500] spi=28837048(0x1b804b8)
    Jul 24 06:44:11 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA established: ESP 84.188.21.110[500]->85.199.122.229[500] spi=175553159(0xa76ba87)
    Jul 24 06:44:11 	racoon: [VPN EVS-NB (Fitflat)]: INFO: respond new phase 2 negotiation: 84.188.21.110[500]<=>85.199.122.229[500]
    Jul 24 06:44:10 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA expired: ESP/Tunnel 85.199.122.229[500]->84.188.21.110[500] spi=96412876(0x5bf24cc)
    Jul 24 06:44:10 	racoon: [VPN EVS-NB (Fitflat)]: INFO: IPsec-SA expired: ESP 84.188.21.110[500]->85.199.122.229[500] spi=203913912(0xc277ab8)
    


  • Sometimes tunnels goes down due to inactivity. Did you try with the "automatically ping host" option?



  • @georgeman:

    Sometimes tunnels goes down due to inactivity. Did you try with the "automatically ping host" option?

    Yes, the option is enabled and the destination is pingable.

    The connection goes down even when there is traffic. Happened just a minute ago :-(

    This is stated by the logfile.
    And for absolutely sure, at this time nothing has changed on the IPSec configuration! I even don't see where it states the connection went down. :(

    Jul 28 21:45:26 	racoon: ERROR: failed to get sainfo.
    Jul 28 21:45:26 	racoon: ERROR: failed to get sainfo.
    Jul 28 21:45:18 	racoon: [VPN chvoelker]: INFO: IPsec-SA established: ESP 85.19.12.29[500]->84.18.1.10[500] spi=73329625(0x45eebd9)
    Jul 28 21:45:18 	racoon: [VPN chvoelker]: INFO: IPsec-SA established: ESP 85.19.12.29[500]->84.18.1.10[500] spi=51338685(0x30f5dbd)
    Jul 28 21:45:17 	racoon: [VPN chvoelker]: INFO: IPsec-SA established: ESP 85.19.12.29[500]->84.18.1.10[500] spi=77964594(0x4a5a532)
    Jul 28 21:45:17 	racoon: [VPN chvoelker]: INFO: IPsec-SA established: ESP 85.19.12.29[500]->84.18.1.10[500] spi=264225596(0xfbfc33c)
    Jul 28 21:45:17 	racoon: [VPN chvoelker]: INFO: respond new phase 2 negotiation: 85.19.12.29[500]<=>84.18.1.10[500]
    Jul 28 21:45:16 	racoon: [VPN chvoelker]: INFO: respond new phase 2 negotiation: 85.19.12.29[500]<=>84.18.1.10[500]
    Jul 28 21:45:16 	racoon: [VPN chvoelker]: [84.18.1.10] INFO: received INITIAL-CONTACT
    Jul 28 21:45:16 	racoon: [VPN chvoelker]: INFO: ISAKMP-SA established 85.19.12.29[500]-84.18.1.10[500] spi:aec2f6ec7622bc1a:7f6ea7d2b811d5b7
    Jul 28 21:45:15 	racoon: INFO: received Vendor ID: DPD
    Jul 28 21:45:15 	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Jul 28 21:45:15 	racoon: INFO: begin Identity Protection mode.
    Jul 28 21:45:15 	racoon: [VPN chvoelker]: INFO: respond new phase 1 negotiation: 85.19.12.29[500]<=>84.18.1.10[500]
    Jul 28 21:42:12 	racoon: ERROR: failed to get sainfo.
    Jul 28 21:41:46 	racoon: ERROR: failed to get sainfo.
    Jul 28 21:41:21 	racoon: ERROR: failed to get sainfo.
    Jul 28 21:39:08 	racoon: INFO: unsupported PF_KEY message REGISTER
    Jul 28 21:39:08 	racoon: [Self]: INFO: ISAKMP-SA deleted 85.19.12.29[500]-84.18.46.10[500] spi:97aac950fe7e465d:a527c9724d65c1c2
    Jul 28 21:39:08 	racoon: INFO: purged IPsec-SA proto_id=ESP spi=27712531.
    


  • I still have this issue. IPSec tunnel is totally unreliable  :o :-[ :-
    [img]http://www.knebb.de/files/pdcdisk.png

    Still no one a clue why this happens?

    I can post loads of logfiles- but for what do I have to look at?

    Thanks

    Christian