Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple ipsec tunnels set up, one randomly stops working.

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 937 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffstu
      last edited by

      Hi

      I'm Hoping someone can help as this issue is rather frustrating.

      In my set up there are 3 pfsense instances running on esxi and a draytek router.

      1. Draytek router, connects to 2(pfsense 1). (this is up and stable)
      2. Pfsense 1 connects to 1,3 and 4. (Connections to 1 and 4 are stable. Connections to 3 stop randomly)
      3. Pfsense 2 Connects to 2 (pfsense1) and 4 (pfsense 3), Connection to 4 is stable. Connection to 3 stops randomly.
      4. Connects to 2 (pfsense 1) and 3 (pfsense 2) . Connection is stable.

      Hope that illustrates what the set up is enough.

      So basically the tunnel between 2 of the pfsense instances is unstable, but other tunnels on the same pfsense instance work fine and remain stable.
      All have identical settings

      When it drops ipsec status says that it is still established.
      disabling ipsec clicking save, then re-enabling ipsec and clicking save brings the connection back.
      as does manually disconnecting the single tunnel and re-connecting.

      here is the config from 2 that connects to 1,3 and 4

      - <ipsec>- <phase1><ikeid>2</ikeid>
      <interface>wan</interface>
      <remote-gateway>IP OF 1</remote-gateway>
      <mode>aggressive</mode>
      <protocol>inet</protocol>
      <myid_type>myaddress</myid_type>
       <myid_data><peerid_type>peeraddress</peerid_type>
       <peerid_data>- <encryption-algorithm><name>3des</name></encryption-algorithm> 
      <hash-algorithm>md5</hash-algorithm>
      <dhgroup>1</dhgroup>
      <lifetime>28800</lifetime>
      <pre-shared-key>PRE_SHARED_KEY</pre-shared-key>
       <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
       <generate_policy><proposal_check>- <descr>-</descr> 
      <nat_traversal>on</nat_traversal>
      <dpd_delay>10</dpd_delay>
      <dpd_maxfail>5</dpd_maxfail>
      <iketype>ikev1</iketype></proposal_check></generate_policy></caref></certref></private-key></peerid_data></myid_data></phase1> 
      - <phase1><ikeid>1</ikeid>
      <interface>wan</interface>
      <remote-gateway>IP OF 4</remote-gateway>
      <mode>aggressive</mode>
      <protocol>inet</protocol>
      <myid_type>myaddress</myid_type>
       <myid_data><peerid_type>peeraddress</peerid_type>
       <peerid_data>- <encryption-algorithm><name>aes</name>
      <keylen>256</keylen></encryption-algorithm> 
      <hash-algorithm>sha256</hash-algorithm>
      <dhgroup>2</dhgroup>
      <lifetime>28800</lifetime>
      <pre-shared-key>PRE_SHARED_KEY</pre-shared-key>
       <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
       <generate_policy><proposal_check>- <descr>-</descr> 
      <nat_traversal>on</nat_traversal>
      <dpd_delay>10</dpd_delay>
      <dpd_maxfail>5</dpd_maxfail>
      <iketype>ikev1</iketype></proposal_check></generate_policy></caref></certref></private-key></peerid_data></myid_data></phase1> 
      - <phase1><ikeid>3</ikeid>
      <iketype>ikev1</iketype>
      <mode>aggressive</mode>
      <interface>wan</interface>
      <remote-gateway>IP OF 3</remote-gateway>
      <protocol>inet</protocol>
      <myid_type>myaddress</myid_type>
       <myid_data><peerid_type>peeraddress</peerid_type>
       <peerid_data>- <encryption-algorithm><name>aes</name>
      <keylen>256</keylen></encryption-algorithm> 
      <hash-algorithm>sha256</hash-algorithm>
      <dhgroup>2</dhgroup>
      <lifetime>28800</lifetime>
      <pre-shared-key>PRE_SHARED_KEY</pre-shared-key>
       <private-key><certref><caref><authentication_method>pre_shared_key</authentication_method>
      - <descr>-</descr> 
      <nat_traversal>on</nat_traversal>
      <mobike>off</mobike>
      <dpd_delay>10</dpd_delay>
      <dpd_maxfail>5</dpd_maxfail></caref></certref></private-key></peerid_data></myid_data></phase1> 
      - <client><enable><user_source>Local Database</user_source>
      <group_source>system</group_source>
       <save_passwd><dns_server1>8.8.8.8</dns_server1>
      <dns_server2>8.8.4.4</dns_server2></save_passwd></enable></client> 
      - <phase2><ikeid>2</ikeid>
      <mode>tunnel</mode>
      - <localid><type>lan</type></localid> 
      - <remoteid><type>network</type>
      
      <address>LAN IP's For 1</address>
      
      <netbits>24</netbits></remoteid> 
      <protocol>esp</protocol>
      - <encryption-algorithm-option><name>3des</name></encryption-algorithm-option> 
      <hash-algorithm-option>hmac_md5</hash-algorithm-option>
      <pfsgroup>1</pfsgroup>
      <lifetime>3600</lifetime>
      <pinghost>LAN IP's For.1</pinghost>
      - <descr>-</descr> 
      <uniqid>********</uniqid>
      <reqid>1</reqid></phase2> 
      - <phase2><ikeid>1</ikeid>
      <mode>tunnel</mode>
      - <localid><type>lan</type></localid> 
      - <remoteid><type>network</type>
      
      <address>LAN IP's For 4</address>
      
      <netbits>24</netbits></remoteid> 
      <protocol>esp</protocol>
      - <encryption-algorithm-option><name>aes</name>
      <keylen>256</keylen></encryption-algorithm-option> 
      <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
      <pfsgroup>2</pfsgroup>
      <lifetime>3600</lifetime>
      host>LAN IP's For 4
      - <descr>-</descr> 
      <uniqid>******************</uniqid>
      <reqid>2</reqid></phase2> 
      - <phase2><ikeid>3</ikeid>
      <uniqid>*************</uniqid>
      <mode>tunnel</mode>
      <reqid>3</reqid>
      - <localid><type>lan</type></localid> 
      - <remoteid><type>network</type>
      <addess>LAN IP's For 3
      <netbits>24</netbits></addess></remoteid> 
      <protocol>esp</protocol>
      - <encryption-algorithm-option><name>aes</name>
      <keylen>256</keylen></encryption-algorithm-option> 
      <hash-algorithm-option>hmac_sha256</hash-algorithm-option>
      <pfsgroup>2</pfsgroup>
      <lifetime>3600</lifetime>
      <pinghost>LAN IP's For 3</pinghost>
      - <descr>-</descr></phase2> 
       <preferoldsa><enable></enable></preferoldsa></ipsec> 
      

      If anyone has any suggestions I would be most appreciative.

      Stu

      1 Reply Last reply Reply Quote 0
      • J
        jeffstu
        last edited by

        Just to fill in a bit more detail,
        There are linux servers at each site with NFS shares.
        each site mounts each others nfs shares.

        So when the link between 2 and 3 drops it takes out the NFS share there.

        But 4 can still connect to 2 and 3 fine with the tunnels that has set up.
        and 2 can connect to 1 and 4 fine
        and 3 can still connect to 4 fine,

        Hope that all makes sense.

        Stu

        1 Reply Last reply Reply Quote 0
        • J
          jeffstu
          last edited by

          Little progress?

          I deleted and re-created the problem tunnel Gave it a new key and set it at main mode instead of aggressive.

          Lasted just over 24 hours before dropping.

          Other tunnels still remain stable.

          Does anyone have any ideas?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.