Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC tunnel drops down 2.2-RC (i386) built on Mon Jan 05 16:32:22 CST 2015

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    7 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Clouseau
      last edited by

      After upgrade from 2.1.5 to 2.2-RC (i386) built on Mon Jan 05 16:32:22 CST 2015
      The ipsec VPN does not stay up.

      On 2.1.5 ipsec just worked, but now it drops down all the time. It may stay up a full hour, but usually it drops dead before that and does not reconnect. Logs does not give me a good hint or I have missed that log entry when connection fails/drops. I'll try to catch that moment from logs.

      I have regenerated and saved all the Phase 1 and Phase 2 settings for the connection (both ends: site A and B)

      Just can't fin anything wrong - is there biger problems in ipsec in RC version still?

      Below my site-to-site VPN tunnel configuration:

      –--------------------- SITE A PHASE 1 –-------------------------
      General information

      Key Exchange version V1

      Internet Protocol IPv4

      Interface WAN

      Remote gateway 222.222.222.222
      Description SITE B

      Phase 1 proposal (Authentication)
      Authentication method Mutual PSK

      Negotiation mode Main

      My identifier My IP Address
      Peer identifier Peer IP Address
      Pre-Shared Key **********************

      Phase 1 proposal (Algorithms)
      Encryption algorithm AES 256bit
      Hash algorithm SHA1

      DH key group 2(1024bit)

      Lifetime 28800 seconds

      Advanced Options

      NAT Traversal Auto

      Dead Peer Detection Enabled DPD

      seconds 10
      Delay between requesting peer acknowledgement.

      retries 10
      Number of consecutive failures allowed before disconnect.

      –---------------  SITE A PHASE 2 –-------------------------
      Phase2 entry

      Mode Tunnel IPv4
      Local Network Lan Subnet

      Remote Network
      Type: Network
      Address: 192.168.1.0/24
      Description Site B

      Phase 2 proposal (SA/Key Exchange)
      Protocol ESP

      Encryption algorithms
      AES  256bit

      Hash algorithms
      SHA1

      PFS key group 2 (1025bit)
      Lifetime 3600 seconds

      Advanced Options
      Automatically ping host 192.168.1.1 IP address
      –--------------------------------------------------------

      ----------------------- SITE B PHASE 1 –-------------------------
      General information

      Key Exchange version V1

      Internet Protocol IPv4

      Interface WAN

      Remote gateway 111.111.111.111
      Description SITE A

      Phase 1 proposal (Authentication)
      Authentication method Mutual PSK

      Negotiation mode Main

      My identifier My IP Address
      Peer identifier Peer IP Address
      Pre-Shared Key **********************

      Phase 1 proposal (Algorithms)
      Encryption algorithm AES 256bit
      Hash algorithm SHA1

      DH key group 2(1024bit)
      Lifetime 28800 seconds

      Advanced Options

      NAT Traversal Auto

      Dead Peer Detection Enabled DPD

      seconds 10
      Delay between requesting peer acknowledgement.

      retries 10
      Number of consecutive failures allowed before disconnect.

      –---------------  SITE B PHASE 2 –-------------------------
      Phase2 entry

      Mode Tunnel IPv4
      Local Network Lan Subnet

      Remote Network
      Type: Network
      Address: 192.168.0.0/24
      Description Site A

      Phase 2 proposal (SA/Key Exchange)
      Protocol ESP

      Encryption algorithms
      AES  256bit

      Hash algorithms
      SHA1
      PFS key group 2 (1025bit)
      Lifetime 3600 seconds

      Advanced Options
      Automatically ping host 192.168.0.1 IP address
      –--------------------------------------------------------

      –--------------------------------------------------------------
      Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
      Multible Vmware vSphere - pfSense 2.4.x 64bit

      pfSense - FreeNAS - OwnCloud

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Can you please upgrade to the latest snapshot of today and see if it is fixed?

        1 Reply Last reply Reply Quote 0
        • C
          Clouseau
          last edited by

          Did not help - but I changed IKEv1 to IKEv2 and now it has been stable and up for whole day.

          –--------------------------------------------------------------
          Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
          Multible Vmware vSphere - pfSense 2.4.x 64bit

          pfSense - FreeNAS - OwnCloud

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            I just noticed that you have i386 snapshot.
            It is just building that with the new version of strongswan.

            so if you have the possibility of trying that with a new snapshot that will come out and IKEv1 it would be good to know.

            1 Reply Last reply Reply Quote 0
            • C
              Clouseau
              last edited by

              I will do that test for you!

              –--------------------------------------------------------------
              Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
              Multible Vmware vSphere - pfSense 2.4.x 64bit

              pfSense - FreeNAS - OwnCloud

              1 Reply Last reply Reply Quote 0
              • C
                Clouseau
                last edited by

                Testing:
                2.2-RC (i386)
                built on Wed Jan 07 18:25:08 CST 2015

                IKEv1: tunnel drops still down and there is no Active tunnels shown in widged. Even it shows that no active tunnels - the tunnel works. Gateway widged shows huge latency for the other end of the tunnel and the value does not change at all.

                Moving back to IKEv2

                ![Site A.jpg](/public/imported_attachments/1/Site A.jpg)
                ![Site A.jpg_thumb](/public/imported_attachments/1/Site A.jpg_thumb)
                ![Site B.jpg](/public/imported_attachments/1/Site B.jpg)
                ![Site B.jpg_thumb](/public/imported_attachments/1/Site B.jpg_thumb)

                –--------------------------------------------------------------
                Multible Alix 2D13, APU1,APU2,APU3 - pfSense 2.4.x 64bit
                Multible Vmware vSphere - pfSense 2.4.x 64bit

                pfSense - FreeNAS - OwnCloud

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  Yeah the important is that the tunnels works.
                  Yesterday there were some fixes done for functionality.

                  Hopefully today everything related to dashboard etc will be fixed aswell.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.