Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Site-To-Site IPsec verliert Verbindung

    Scheduled Pinned Locked Moved Deutsch
    5 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I Offline
      itm_2015
      last edited by

      Hallo Zusammen,

      ich habe hier ein merkwürdiges Problem.

      Wir betreiben ein Site-To-Site IPsec zwischen zwei Pfsense-System (2.2). Die Verbindung wird erfolgreich aufgebaut und bleibt auch ca. einen Tag bestehen. Irgendwann bricht der Tunnel zusammen und verbindet sich auch nicht mehr.

      Verbunden sind die Geräte direkt mit festen IPs (keine Kaskade).

      Wir nutzen IKEv2, da wir mit IKEv1 überhaupt keinen Traffic durch den Tunnel bekommen haben.

      Wir haben zwei P2-Einträge unter der P1!

      Das Setup ist natürlich an beiden Standorten exakt identisch. DPD hatten wir testweise mal deaktiviert. Leider ohne Erfolg…..

      Protokolle habe ich leider im Moment keine. Beim nächsten mal werde ich diese aber sichern. Reichen die Standardprotokolle aus, oder soll ich den Optionen von IPsec einen bestimmten Debug-Level setzen?

      Hat jemand eine Idee woran es liegen könnte?

      Danke!

      IPSEC.png
      IPSEC.png_thumb
      P1.png
      P1.png_thumb
      P2.png
      P2.png_thumb

      1 Reply Last reply Reply Quote 0
      • 2 Offline
        2chemlud Banned
        last edited by

        In der P2 mal bei "Automatically ping host" (ganz unten) eine Adresse auf der anderen Seite des Tunnels eingeben. Bei mir wurde es dann besser, aber hat nie ganz aufgehört. Mit openVPN wurde es besser, immerhin klappt da der reconnect in 99.99%…

        NSA mag wohl kein IPsec...

        PS: DPD aus lassen.

        1 Reply Last reply Reply Quote 0
        • I Offline
          itm_2015
          last edited by

          Danke für die Tipps.

          Habe die Einstellungen entsprechend vorgenommen. Mal schauen….

          Aber es kann doch nicht im Sinne des Erfinders sein, dass IPsec in dieser Form nicht einsetzbar ist?!

          1 Reply Last reply Reply Quote 0
          • I Offline
            itm_2015
            last edited by

            Mir fällt gerade auf, dass ich zwei P2 Einträge habe. Ist das so normal?

            STATUS.png
            STATUS.png_thumb

            1 Reply Last reply Reply Quote 0
            • I Offline
              itm_2015
              last edited by

              Guten Morgen,

              die Tipps haben das Problem leider nicht gelöst…..

              Anbei das Log der Site-B:

              Mar 7 07:53:08 	charon: 07[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:08 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:13 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:13 	charon: 07[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:15 	charon: 07[IKE] <con1|99> giving up after 5 retransmits
Mar 7 07:53:15 	charon: 07[IKE] giving up after 5 retransmits
Mar 7 07:53:15 	charon: 07[IKE] <con1|99> peer not responding, trying again (2/3)
Mar 7 07:53:15 	charon: 07[IKE] peer not responding, trying again (2/3)
Mar 7 07:53:15 	charon: 07[IKE] <con1|99> initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:53:15 	charon: 07[IKE] initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:53:15 	charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 7 07:53:15 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:19 	charon: 07[IKE] <con1|99> retransmit 1 of request with message ID 0
Mar 7 07:53:19 	charon: 07[IKE] retransmit 1 of request with message ID 0
Mar 7 07:53:19 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:26 	charon: 07[IKE] <con1|99> retransmit 2 of request with message ID 0
Mar 7 07:53:26 	charon: 07[IKE] retransmit 2 of request with message ID 0
Mar 7 07:53:26 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:27 	charon: 07[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:27 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:37 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:37 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:40 	charon: 15[IKE] <con1|99> retransmit 3 of request with message ID 0
Mar 7 07:53:40 	charon: 15[IKE] retransmit 3 of request with message ID 0
Mar 7 07:53:40 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:53:43 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:43 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:50 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:50 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:57 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:57 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:53:59 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:53:59 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:03 	charon: 15[IKE] <con1|99> retransmit 4 of request with message ID 0
Mar 7 07:54:03 	charon: 15[IKE] retransmit 4 of request with message ID 0
Mar 7 07:54:03 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:54:16 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:16 	charon: 06[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:21 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:21 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:27 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:27 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:37 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:37 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:54:45 	charon: 15[IKE] <con1|99> retransmit 5 of request with message ID 0
Mar 7 07:54:45 	charon: 15[IKE] retransmit 5 of request with message ID 0
Mar 7 07:54:45 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:54:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:54:49 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:11 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:11 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:26 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:26 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:33 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:33 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:49 	charon: 13[CFG] ignoring acquire, connection attempt pending
Mar 7 07:55:56 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:55:56 	charon: 01[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:01 	charon: 01[IKE] <con1|99> giving up after 5 retransmits
Mar 7 07:56:01 	charon: 01[IKE] giving up after 5 retransmits
Mar 7 07:56:01 	charon: 01[IKE] <con1|99> peer not responding, trying again (3/3)
Mar 7 07:56:01 	charon: 01[IKE] peer not responding, trying again (3/3)
Mar 7 07:56:01 	charon: 01[IKE] <con1|99> initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:56:01 	charon: 01[IKE] initiating IKE_SA con1[99] to WAN-IP-SITE-A
Mar 7 07:56:01 	charon: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Mar 7 07:56:01 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:05 	charon: 01[IKE] <con1|99> retransmit 1 of request with message ID 0
Mar 7 07:56:05 	charon: 01[IKE] retransmit 1 of request with message ID 0
Mar 7 07:56:05 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:07 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:07 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:12 	charon: 15[IKE] <con1|99> retransmit 2 of request with message ID 0
Mar 7 07:56:12 	charon: 15[IKE] retransmit 2 of request with message ID 0
Mar 7 07:56:12 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:21 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:21 	charon: 01[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:26 	charon: 01[IKE] <con1|99> retransmit 3 of request with message ID 0
Mar 7 07:56:26 	charon: 01[IKE] retransmit 3 of request with message ID 0
Mar 7 07:56:26 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:56:29 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:29 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:43 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:56:43 	charon: 01[CFG] ignoring acquire, connection attempt pending
Mar 7 07:56:49 	charon: 01[IKE] <con1|99> retransmit 4 of request with message ID 0
Mar 7 07:56:49 	charon: 01[IKE] retransmit 4 of request with message ID 0
Mar 7 07:56:49 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:57:05 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:05 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:57:27 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:27 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:57:31 	charon: 10[IKE] <con1|99> retransmit 5 of request with message ID 0
Mar 7 07:57:31 	charon: 10[IKE] retransmit 5 of request with message ID 0
Mar 7 07:57:31 	charon: 10[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
Mar 7 07:57:41 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:41 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:57:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:57:49 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:07 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:07 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:13 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:13 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:22 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:22 	charon: 15[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:30 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:30 	charon: 10[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:37 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
Mar 7 07:58:37 	charon: 11[CFG] ignoring acquire, connection attempt pending
Mar 7 07:58:47 	charon: 11[IKE] <con1|99> giving up after 5 retransmits
Mar 7 07:58:47 	charon: 11[IKE] giving up after 5 retransmits
Mar 7 07:58:47 	charon: 11[IKE] <con1|99> establishing IKE_SA failed, peer not responding</con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99>

              Nachdem ich den IPsec-Service auf Site-B neugestartet habe, ist der Tunnel sofort wieder aktiv!

              Kann jemand helfen?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.