Site-To-Site between two pfSense losing connectivity



  • Hi all,

    i have two pfSense (2.2) in a Site-To-Site Scenario. Both sides have static WAN-IPs and are directly connected to the internet (PPPoE). I´m using IKEv2 (see Config).

    There are two subnets on every Side. So i´m using two P2 on one P1-Entry.

    The tunnel is established for more then one day. But then it`s loosing connectivity an doesn´t reconnect. When i restart the IPsec-Service on Side-B, it get online again.

    Here is the latest log:

    Mar 7 07:53:08 	charon: 07[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:08 	charon: 06[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:53:13 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:13 	charon: 07[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:53:15 	charon: 07[IKE] <con1|99> giving up after 5 retransmits
    Mar 7 07:53:15 	charon: 07[IKE] giving up after 5 retransmits
    Mar 7 07:53:15 	charon: 07[IKE] <con1|99> peer not responding, trying again (2/3)
    Mar 7 07:53:15 	charon: 07[IKE] peer not responding, trying again (2/3)
    Mar 7 07:53:15 	charon: 07[IKE] <con1|99> initiating IKE_SA con1[99] to WAN-IP-SITE-A
    Mar 7 07:53:15 	charon: 07[IKE] initiating IKE_SA con1[99] to WAN-IP-SITE-A
    Mar 7 07:53:15 	charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Mar 7 07:53:15 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:53:19 	charon: 07[IKE] <con1|99> retransmit 1 of request with message ID 0
    Mar 7 07:53:19 	charon: 07[IKE] retransmit 1 of request with message ID 0
    Mar 7 07:53:19 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:53:26 	charon: 07[IKE] <con1|99> retransmit 2 of request with message ID 0
    Mar 7 07:53:26 	charon: 07[IKE] retransmit 2 of request with message ID 0
    Mar 7 07:53:26 	charon: 07[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:53:27 	charon: 07[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:27 	charon: 06[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:53:37 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:37 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:53:40 	charon: 15[IKE] <con1|99> retransmit 3 of request with message ID 0
    Mar 7 07:53:40 	charon: 15[IKE] retransmit 3 of request with message ID 0
    Mar 7 07:53:40 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:53:43 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:43 	charon: 06[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:53:50 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:50 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:53:57 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:57 	charon: 06[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:53:59 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:53:59 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:54:03 	charon: 15[IKE] <con1|99> retransmit 4 of request with message ID 0
    Mar 7 07:54:03 	charon: 15[IKE] retransmit 4 of request with message ID 0
    Mar 7 07:54:03 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:54:16 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:54:16 	charon: 06[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:54:21 	charon: 06[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:54:21 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:54:27 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:54:27 	charon: 13[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:54:37 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:54:37 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:54:45 	charon: 15[IKE] <con1|99> retransmit 5 of request with message ID 0
    Mar 7 07:54:45 	charon: 15[IKE] retransmit 5 of request with message ID 0
    Mar 7 07:54:45 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:54:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:54:49 	charon: 13[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:55:11 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:55:11 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:55:26 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:55:26 	charon: 13[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:55:33 	charon: 13[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:55:33 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:55:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:55:49 	charon: 13[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:55:56 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:55:56 	charon: 01[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:56:01 	charon: 01[IKE] <con1|99> giving up after 5 retransmits
    Mar 7 07:56:01 	charon: 01[IKE] giving up after 5 retransmits
    Mar 7 07:56:01 	charon: 01[IKE] <con1|99> peer not responding, trying again (3/3)
    Mar 7 07:56:01 	charon: 01[IKE] peer not responding, trying again (3/3)
    Mar 7 07:56:01 	charon: 01[IKE] <con1|99> initiating IKE_SA con1[99] to WAN-IP-SITE-A
    Mar 7 07:56:01 	charon: 01[IKE] initiating IKE_SA con1[99] to WAN-IP-SITE-A
    Mar 7 07:56:01 	charon: 01[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    Mar 7 07:56:01 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:56:05 	charon: 01[IKE] <con1|99> retransmit 1 of request with message ID 0
    Mar 7 07:56:05 	charon: 01[IKE] retransmit 1 of request with message ID 0
    Mar 7 07:56:05 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:56:07 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:56:07 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:56:12 	charon: 15[IKE] <con1|99> retransmit 2 of request with message ID 0
    Mar 7 07:56:12 	charon: 15[IKE] retransmit 2 of request with message ID 0
    Mar 7 07:56:12 	charon: 15[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:56:21 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:56:21 	charon: 01[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:56:26 	charon: 01[IKE] <con1|99> retransmit 3 of request with message ID 0
    Mar 7 07:56:26 	charon: 01[IKE] retransmit 3 of request with message ID 0
    Mar 7 07:56:26 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:56:29 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:56:29 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:56:43 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:56:43 	charon: 01[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:56:49 	charon: 01[IKE] <con1|99> retransmit 4 of request with message ID 0
    Mar 7 07:56:49 	charon: 01[IKE] retransmit 4 of request with message ID 0
    Mar 7 07:56:49 	charon: 01[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:57:05 	charon: 01[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:57:05 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:57:27 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:57:27 	charon: 10[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:57:31 	charon: 10[IKE] <con1|99> retransmit 5 of request with message ID 0
    Mar 7 07:57:31 	charon: 10[IKE] retransmit 5 of request with message ID 0
    Mar 7 07:57:31 	charon: 10[NET] sending packet: from WAN-IP-SITE-B[500] to WAN-IP-SITE-A[500] (312 bytes)
    Mar 7 07:57:41 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:57:41 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:57:49 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:57:49 	charon: 10[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:58:07 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:58:07 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:58:13 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:58:13 	charon: 10[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:58:22 	charon: 10[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:58:22 	charon: 15[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:58:30 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:58:30 	charon: 10[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:58:37 	charon: 15[KNL] creating acquire job for policy WAN-IP-SITE-B/32|/0 === WAN-IP-SITE-A/32|/0 with reqid {1}
    Mar 7 07:58:37 	charon: 11[CFG] ignoring acquire, connection attempt pending
    Mar 7 07:58:47 	charon: 11[IKE] <con1|99> giving up after 5 retransmits
    Mar 7 07:58:47 	charon: 11[IKE] giving up after 5 retransmits
    Mar 7 07:58:47 	charon: 11[IKE] <con1|99> establishing IKE_SA failed, peer not responding</con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99></con1|99>
    

    Who can help me?

    Thanks!









  • This is a bug in Pfsense 2.2. I had previously reported this on my forum post https://forum.pfsense.org/index.php?topic=87636.0

    there is also an open bug report on this: https://redmine.pfsense.org/issues/4341

    You at this point have to simply return to 2.1.5 on both sides. IPSEC IS BROKEN ON 2.2 if you are using PPoE



  • Hello Sam,

    thanks for answering!

    What´s about: "Removing interfaces_use from strongswan.conf makes the problem go away."?

    there is also an open bug report on this: https://redmine.pfsense.org/issues/4341

    there is written this is relevated only to Dynamic IPs. I´ve got stativ IPs…..

    Is there a trick to restart ipsec-service by cron? How can i downgrade PF from remote?

    Thanks!


  • Banned

    @itm_2015:

    H…. How can i downgrade PF from remote?

    Thanks!

    …ooops, maybe easier to set up some openVPN tunnels to bridge the time till it's fixed...



  • @itm_2015:

    H…. How can i downgrade PF from remote?

    Thanks!

    Are you using a pfsense appliance ie from Pfsense or Netgate that use a BSD image. They usually have two splices. You can just switch the active splice to the backup splice and reboot. You should be back to the version that was installed prior to upgrading to 2.2.



  • @itm_2015:

    What´s about: "Removing interfaces_use from strongswan.conf makes the problem go away."?

    I had the same problem. Whenever the WAN link got disconnected/reconnected the VPN tunnels did not reconnected.
    Removing the 'interface_use' indeed fixed the problem.
    To remove this key from strongswan.conf I edited /etc/inc/vpn.inc around line 370 there is this:

    {$accept_unencrypted}
    cisco_unity = {$unity_enabled}
    {$ifacesuse}

    I changed this to:

    {$accept_unencrypted}
    cisco_unity = {$unity_enabled}

    {$ifacesuse}

    I also edited the file /var/etc/ipsec/strongswan.conf and commented out the 'interface_use' line.  (gets overwritten when WAN is disconncted).

    This is a hack that worked for me, I have no experience in linux/freebsd and don't know if it has any side effect. Alternative is go back to old version or wait for 2.2.1 update.

    Lex


Log in to reply