Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC stops working after a couple hours

    Scheduled Pinned Locked Moved IPsec
    12 Posts 11 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charlien
      last edited by

      I've used the same setup for several years without issue but the latest update must have changed something. Every couple hours my site-to-site VPN quits working. If I disable IPSEC for a minute or two and enable it everything works again. I can't see any obvious config errors. Any suggestions where to start? The far end is an Adtran router if that makes a difference.

      1 Reply Last reply Reply Quote 0
      • 2
        2chemlud Banned
        last edited by

        Hi!

        Have a look:

        https://firstlook.org/theintercept/document/2014/03/12/vpn-voip-exploitation-hammerchant-hammerstein/

        …maybe your NSA exploit needs an update...

        1 Reply Last reply Reply Quote 0
        • S
          SuperSpy
          last edited by

          I've been fighting this as well and it just started happening in the 2.2.1-RELEASE update.  The connection shows up as connected in the status: IPsec page, but I can't ping the other end, and the other end can't ping me.  It seems to happen when the connection gets a second entry in the "Child SA" section.  If I expand that entry and delete the bottom entry, the connection immediately comes back and I can ping from both ends of the tunnel again.

          I'm not too familiar with how IPsec operates, so I've been trying to muck about with logging to figure out what is happening, but I presume it's some kind of bug given it worked flawlessly on 2.2.

          1 Reply Last reply Reply Quote 0
          • P
            pvoigt
            last edited by

            Looks like this issue:
            https://forum.pfsense.org/index.php?topic=88293.0

            It is not yet solved - besides other IPsec issues like this one:
            https://forum.pfsense.org/index.php?topic=87946.0

            Both issues together are unfortunately a show stopper for IPsec under pfSense. I am glad with OpenVPN: It's stable and easier to configure.

            Regards,
            Peter

            1 Reply Last reply Reply Quote 0
            • X
              XaserII
              last edited by

              I too have this problem using IPsec and the Shrewsoft VPN access manager. couldn't find a solution either, hope there will be a fix soon.

              @pvoigt, I beg to differ, I tried OpenVPN and even though I don't know if there's an easier way to set it up than in the pfSense Wiki guide, I didn't have to create any Certificates / Authorities and copy them to my local pc.

              This however may come at the price of not beeing as secure, but openvpn seemed not easy at all to me.

              1 Reply Last reply Reply Quote 0
              • Y
                yaboc
                last edited by

                i see the same issue on 2.2 and a bit skeptical flashing over to 2.2.1 and just downgrading back to 2.1.5 as it's working fine for me.
                tunnel shows that it's online but no ping response. restarting the service brings everything back up.

                1 Reply Last reply Reply Quote 0
                • J
                  jasperdillon
                  last edited by

                  I'm trying out changing out to IKEv2, as per https://forum.pfsense.org/index.php?topic=90999.0
                  Will see in a day or so if it's any happier…

                  1 Reply Last reply Reply Quote 0
                  • E
                    Eleander
                    last edited by

                    I've IPSEC running between 6 sites (all pfsense and no issues whatsoever)
                    What phase1 and phase 2 settings are u using on both devices?

                    1 Reply Last reply Reply Quote 0
                    • K
                      kitdavis
                      last edited by

                      What version are you running?    Site to Site Tunnels were rock solid in 2.2, but in 2.2.1 they are causing some of us problems, typically when the re-keying occurs.

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        if you started having rekeying issues with 2.2.1, the fix is here:
                        https://forum.pfsense.org/index.php?topic=91627.0

                        1 Reply Last reply Reply Quote 0
                        • C
                          charlien
                          last edited by

                          @cmb:

                          if you started having rekeying issues with 2.2.1, the fix is here:
                          https://forum.pfsense.org/index.php?topic=91627.0

                          That didn't fix it for me.

                          1 Reply Last reply Reply Quote 0
                          • RuddimasterR
                            Ruddimaster
                            last edited by

                            Hi charlien,

                            does your issue look like this?
                            https://forum.pfsense.org/index.php?topic=91020.0
                            Many Phase II tunnels for only a single SA? Phase I established? No data went through?

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.