IPsec tunnel uptime

  • Hi!

    I am about to switch from an all ASA solution between 3 sites to a pfSense solution.

    Since my home router is a pfSense box (2.1.5) and the OOB network in our datacenter is protected by a pfSense box (2.1.5) also, I established an IPsec site to site tunnel between these 2 networks for test purposes.

    I have 2 quick questions:

    • My home router has a dynamic ip address so I am using a paid DynDNS account to have a low TTL FQDN to use for the tunnel. The problem is this: if I have the IP address and force the router to get a new IP address by DHCP (by changing the MAC address of the WAN interface) the tunnel reestablishes quickly. However, if I return to the tunnel takes a bit more to establish. Are there any timeouts I could change in the remote pfSense box that might speed this?

    • On the ASA I can get tunnel uptime like this:

    gonafe-fw# show vpn-sessiondb l2l
    Session Type: LAN-to-LAN
    Connection   : 195.x.y.z
    Index        : 287                    IP Addr      : 195.x.y.z
    Protocol     : IKEv2 IPsec
    Encryption   : AES256 AES256 AES256   Hashing      : SHA512 SHA1 SHA1
    Bytes Tx     : 4012745245             Bytes Rx     : 2569137926
    Login Time   : 14:28:19 WET Fri Dec 19 2014
    Duration     : 31d 1h:18m:49s
    Connection   : FOO
    Index        : 424                    IP Addr      : 188.a.b.c
    Protocol     : IKEv2 IPsecOverNatT
    Encryption   : AES256 AES256          Hashing      : SHA512 SHA1
    Bytes Tx     : 1484698                Bytes Rx     : 1420199
    Login Time   : 13:07:28 WET Mon Jan 19 2015
    Duration     : 2h:39m:40s

    In pfSense as soon as phase 1 is renegotiated the uptime rolls over. Is there any way to get the tunnel uptime?


Log in to reply