Stable IPSEC VPN?

Popupgbg · Sep 4, 2015, 11:13 AM

We have a couple of pfSense firewalls with version 2.1.5 connected to our core HA Fortigate firewalls.
We have found this version to be most stable with our Fortigate 310 and the current version of OS but not stable enough.
Sometimes the VPN freezes, the tunnels is up but no traffic is going in the tunnel and we have to restart the IPSEC-service on the pfSense side to get the tunnel up again.

We have tried many different settings sometimes main mode is working, the next time the only way to get it to work is to use aggressive mode. Sometimes the sites have static WAN IP and sometimes the sites have DHCP IP on WAN.

Now we have taken a decision to setup a pfSense firewall at our location and use this for all locations that is using pfSense and IPSEC instead of the Fortigate to get the most stable solution.

My question now, is the current 2.2.4 stable with 2.1.5 or is there a recomendation to go for an older version like 2.1.5 at the core as this is the versions on the different sites or is the recomendations to go for 2.2.4 on all sites including the core site.

Thanks

djamp42 · Sep 4, 2015, 1:54 PM

I use 2.2.4 with 2.1.5 it seems to work good for me. The ipsec Demon in 2.2.X has a memory leak issue, so i would hold off on upgrading until that is fixed. Unless you need IKEv2 or some other feature in 2.2.X release i would hold off on upgrading.

cmb · Sep 4, 2015, 5:48 PM

@djamp42:

The ipsec Demon in 2.2.X has a memory leak issue, so i would hold off on upgrading until that is fixed. Unless you need IKEv2 or some other feature in 2.2.X release i would hold off on upgrading.

Not my recommendation. The memory leak doesn't impact the vast majority of use cases.

If you're having issues, I would most definitely upgrade to 2.2.4 first.

djamp42 · Sep 4, 2015, 7:26 PM

I don't know what else to try, setting up a brand new tunnel on 2.2.4 AMD64 with a fresh install gives me a memory leak. It seems other people are having the same issue also.

I have 3 major types of hardware and all have the same problem. Granted with 1 IPSec tunnel it's hardly noticeable, but it's still leaking. I had all this same hardware and configuration with Racoon and never had a problem. This box for example was upgraded a couple of months ago, it was fine until we upgraded to 2.2.X. Its been up for about 70 days and charon is eating up 260mb of memory, this is with 1 VPN tunnel.

/root: uptime
 3:22PM  up 71 days,  2:39, 2 users, load averages: 0.16, 0.14, 0.10
/root: top | grep charon
30149 root       17  20    0   261M 25500K uwait   4   0:01   0.00% charon

If someone has a installation running with 80+ IPSec tunnels and it doesn't crash, i would love to know the hardware or software setting you are using. I've tried everything and i can't get it to stop eating memory.

byusinger84 · Sep 4, 2015, 8:28 PM

We also experience this issue. We have approximately 50 tunnels and every two weeks or so I have to reboot the firewall because of this problem.