2.2.x IPSEC VPN Unstable - Requires Constant Ping



  • We have 50 tunnels going between our various locations and unfortunately have had nothing but nightmares since 2.2.x with IPSec. Aside from the well documented memory leaks, there are other issues that many have asked about doing searches for over an hour, but without any solutions.

    Our primary problems are two fold:

    1. The well known memory leaks in the ipsec daemon cause the firewall to require a reboot every 5-10 days or so. This is extremely difficult to work with as we depend greatly on these tunnels to be up 24/7. We never had these issues with 2.1.5 and racoon, but 2.2.x and strongswan are just awful.

    2. VPN tunnels will not stay connected. I'm not sure exactly on the timing but if I attempt to initiate a connection from one side or the other the connection will time out unless I go to a lan computer on either side of the tunnel and initiate a ping to the other side. After that everything works swimmingly. If I turn off the ping, then everything dies again after a little while. Basically, only a constant ping to each site and from each site to each other site will keep the connection stable but that's hardly a solution and in our case would be impossible to deploy with so many tunnels.

    Yes, we are using IKEv2 for locations that have more than one phase 2 entry. Yes, I have the ping setting going for each phase 2 entry on both sides. Doesn't seem to really make a difference.

    Can anyone help?