IPSEC tunnel drops down 2.2-RC (i386) built on Mon Jan 05 16:32:22 CST 2015



  • After upgrade from 2.1.5 to 2.2-RC (i386) built on Mon Jan 05 16:32:22 CST 2015
    The ipsec VPN does not stay up.

    On 2.1.5 ipsec just worked, but now it drops down all the time. It may stay up a full hour, but usually it drops dead before that and does not reconnect. Logs does not give me a good hint or I have missed that log entry when connection fails/drops. I'll try to catch that moment from logs.

    I have regenerated and saved all the Phase 1 and Phase 2 settings for the connection (both ends: site A and B)

    Just can't fin anything wrong - is there biger problems in ipsec in RC version still?

    Below my site-to-site VPN tunnel configuration:

    –--------------------- SITE A PHASE 1 –-------------------------
    General information

    Key Exchange version V1

    Internet Protocol IPv4

    Interface WAN

    Remote gateway 222.222.222.222
    Description SITE B

    Phase 1 proposal (Authentication)
    Authentication method Mutual PSK

    Negotiation mode Main

    My identifier My IP Address
    Peer identifier Peer IP Address
    Pre-Shared Key **********************

    Phase 1 proposal (Algorithms)
    Encryption algorithm AES 256bit
    Hash algorithm SHA1

    DH key group 2(1024bit)

    Lifetime 28800 seconds

    Advanced Options

    NAT Traversal Auto

    Dead Peer Detection Enabled DPD

    seconds 10
    Delay between requesting peer acknowledgement.

    retries 10
    Number of consecutive failures allowed before disconnect.

    –---------------  SITE A PHASE 2 –-------------------------
    Phase2 entry

    Mode Tunnel IPv4
    Local Network Lan Subnet

    Remote Network
    Type: Network
    Address: 192.168.1.0/24
    Description Site B

    Phase 2 proposal (SA/Key Exchange)
    Protocol ESP

    Encryption algorithms
    AES  256bit

    Hash algorithms
    SHA1

    PFS key group 2 (1025bit)
    Lifetime 3600 seconds

    Advanced Options
    Automatically ping host 192.168.1.1 IP address
    –--------------------------------------------------------

    ----------------------- SITE B PHASE 1 –-------------------------
    General information

    Key Exchange version V1

    Internet Protocol IPv4

    Interface WAN

    Remote gateway 111.111.111.111
    Description SITE A

    Phase 1 proposal (Authentication)
    Authentication method Mutual PSK

    Negotiation mode Main

    My identifier My IP Address
    Peer identifier Peer IP Address
    Pre-Shared Key **********************

    Phase 1 proposal (Algorithms)
    Encryption algorithm AES 256bit
    Hash algorithm SHA1

    DH key group 2(1024bit)
    Lifetime 28800 seconds

    Advanced Options

    NAT Traversal Auto

    Dead Peer Detection Enabled DPD

    seconds 10
    Delay between requesting peer acknowledgement.

    retries 10
    Number of consecutive failures allowed before disconnect.

    –---------------  SITE B PHASE 2 –-------------------------
    Phase2 entry

    Mode Tunnel IPv4
    Local Network Lan Subnet

    Remote Network
    Type: Network
    Address: 192.168.0.0/24
    Description Site A

    Phase 2 proposal (SA/Key Exchange)
    Protocol ESP

    Encryption algorithms
    AES  256bit

    Hash algorithms
    SHA1
    PFS key group 2 (1025bit)
    Lifetime 3600 seconds

    Advanced Options
    Automatically ping host 192.168.0.1 IP address
    –--------------------------------------------------------



  • Can you please upgrade to the latest snapshot of today and see if it is fixed?



  • Did not help - but I changed IKEv1 to IKEv2 and now it has been stable and up for whole day.



  • I just noticed that you have i386 snapshot.
    It is just building that with the new version of strongswan.

    so if you have the possibility of trying that with a new snapshot that will come out and IKEv1 it would be good to know.



  • I will do that test for you!



  • Testing:
    2.2-RC (i386)
    built on Wed Jan 07 18:25:08 CST 2015

    IKEv1: tunnel drops still down and there is no Active tunnels shown in widged. Even it shows that no active tunnels - the tunnel works. Gateway widged shows huge latency for the other end of the tunnel and the value does not change at all.

    Moving back to IKEv2

    ![Site A.jpg](/public/imported_attachments/1/Site A.jpg)
    ![Site A.jpg_thumb](/public/imported_attachments/1/Site A.jpg_thumb)
    ![Site B.jpg](/public/imported_attachments/1/Site B.jpg)
    ![Site B.jpg_thumb](/public/imported_attachments/1/Site B.jpg_thumb)



  • Yeah the important is that the tunnels works.
    Yesterday there were some fixes done for functionality.

    Hopefully today everything related to dashboard etc will be fixed aswell.


Log in to reply