Multiple ipsec tunnels set up, one randomly stops working.



  • Hi

    I'm Hoping someone can help as this issue is rather frustrating.

    In my set up there are 3 pfsense instances running on esxi and a draytek router.

    1. Draytek router, connects to 2(pfsense 1). (this is up and stable)
    2. Pfsense 1 connects to 1,3 and 4. (Connections to 1 and 4 are stable. Connections to 3 stop randomly)
    3. Pfsense 2 Connects to 2 (pfsense1) and 4 (pfsense 3), Connection to 4 is stable. Connection to 3 stops randomly.
    4. Connects to 2 (pfsense 1) and 3 (pfsense 2) . Connection is stable.

    Hope that illustrates what the set up is enough.

    So basically the tunnel between 2 of the pfsense instances is unstable, but other tunnels on the same pfsense instance work fine and remain stable.
    All have identical settings

    When it drops ipsec status says that it is still established.
    disabling ipsec clicking save, then re-enabling ipsec and clicking save brings the connection back.
    as does manually disconnecting the single tunnel and re-connecting.

    here is the config from 2 that connects to 1,3 and 4

    - <ipsec>- <phase1><ikeid>2</ikeid>
    <interface>wan</interface>
    <remote-gateway>IP OF 1</remote-gateway>
    <mode>aggressive</mode>
    <protocol>inet</protocol>
    <myid_type>myaddress</myid_type>
     <myid_data><peerid_type>peeraddress</peerid_type>
     <peerid_data>- <encryption-algorithm><name>3des</name></encryption-algorithm> 
    <hash-algorithm>md5</hash-algorithm>
    <dhgroup>1</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key>PRE_SHARED_KEY</pre-shared-key>
     <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
     <generate_policy><proposal_check>- <descr>-</descr> 
    <nat_traversal>on</nat_traversal>
    <dpd_delay>10</dpd_delay>
    <dpd_maxfail>5</dpd_maxfail>
    <iketype>ikev1</iketype></proposal_check></generate_policy></caref></certref></private-key></peerid_data></myid_data></phase1> 
    - <phase1><ikeid>1</ikeid>
    <interface>wan</interface>
    <remote-gateway>IP OF 4</remote-gateway>
    <mode>aggressive</mode>
    <protocol>inet</protocol>
    <myid_type>myaddress</myid_type>
     <myid_data><peerid_type>peeraddress</peerid_type>
     <peerid_data>- <encryption-algorithm><name>aes</name>
    <keylen>256</keylen></encryption-algorithm> 
    <hash-algorithm>sha256</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key>PRE_SHARED_KEY</pre-shared-key>
     <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
     <generate_policy><proposal_check>- <descr>-</descr> 
    <nat_traversal>on</nat_traversal>
    <dpd_delay>10</dpd_delay>
    <dpd_maxfail>5</dpd_maxfail>
    <iketype>ikev1</iketype></proposal_check></generate_policy></caref></certref></private-key></peerid_data></myid_data></phase1> 
    - <phase1><ikeid>3</ikeid>
    <iketype>ikev1</iketype>
    <mode>aggressive</mode>
    <interface>wan</interface>
    <remote-gateway>IP OF 3</remote-gateway>
    <protocol>inet</protocol>
    <myid_type>myaddress</myid_type>
     <myid_data><peerid_type>peeraddress</peerid_type>
     <peerid_data>- <encryption-algorithm><name>aes</name>
    <keylen>256</keylen></encryption-algorithm> 
    <hash-algorithm>sha256</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>28800</lifetime>
    <pre-shared-key>PRE_SHARED_KEY</pre-shared-key>
     <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
    - <descr>-</descr> 
    <nat_traversal>on</nat_traversal>
    <mobike>off</mobike>
    <dpd_delay>10</dpd_delay>
    <dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></peerid_data></myid_data></phase1> 
    - <client><enable><user_source>Local Database</user_source>
    <group_source>system</group_source>
     <save_passwd><dns_server1>8.8.8.8</dns_server1>
    <dns_server2>8.8.4.4</dns_server2></save_passwd></enable></client> 
    - <phase2><ikeid>2</ikeid>
    <mode>tunnel</mode>
    - <localid><type>lan</type></localid> 
    - <remoteid><type>network</type>
    
    <address>LAN IP's For 1</address>
    
    <netbits>24</netbits></remoteid> 
    <protocol>esp</protocol>
    - <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <pfsgroup>1</pfsgroup>
    <lifetime>3600</lifetime>
    <pinghost>LAN IP's For.1</pinghost>
    - <descr>-</descr> 
    <uniqid>********</uniqid>
    <reqid>1</reqid></phase2> 
    - <phase2><ikeid>1</ikeid>
    <mode>tunnel</mode>
    - <localid><type>lan</type></localid> 
    - <remoteid><type>network</type>
    
    <address>LAN IP's For 4</address>
    
    <netbits>24</netbits></remoteid> 
    <protocol>esp</protocol>
    - <encryption-algorithm-option><name>aes</name>
    <keylen>256</keylen></encryption-algorithm-option> 
    <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    <pfsgroup>2</pfsgroup>
    <lifetime>3600</lifetime>
    host>LAN IP's For 4
    - <descr>-</descr> 
    <uniqid>******************</uniqid>
    <reqid>2</reqid></phase2> 
    - <phase2><ikeid>3</ikeid>
    <uniqid>*************</uniqid>
    <mode>tunnel</mode>
    <reqid>3</reqid>
    - <localid><type>lan</type></localid> 
    - <remoteid><type>network</type>
    <addess>LAN IP's For 3
    <netbits>24</netbits></addess></remoteid> 
    <protocol>esp</protocol>
    - <encryption-algorithm-option><name>aes</name>
    <keylen>256</keylen></encryption-algorithm-option> 
    <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
    <pfsgroup>2</pfsgroup>
    <lifetime>3600</lifetime>
    <pinghost>LAN IP's For 3</pinghost>
    - <descr>-</descr></phase2> 
     <preferoldsa><enable></enable></preferoldsa></ipsec> 
    

    If anyone has any suggestions I would be most appreciative.

    Stu



  • Just to fill in a bit more detail,
    There are linux servers at each site with NFS shares.
    each site mounts each others nfs shares.

    So when the link between 2 and 3 drops it takes out the NFS share there.

    But 4 can still connect to 2 and 3 fine with the tunnels that has set up.
    and 2 can connect to 1 and 4 fine
    and 3 can still connect to 4 fine,

    Hope that all makes sense.

    Stu



  • Little progress?

    I deleted and re-created the problem tunnel Gave it a new key and set it at main mode instead of aggressive.

    Lasted just over 24 hours before dropping.

    Other tunnels still remain stable.

    Does anyone have any ideas?


Log in to reply