4. IPSec shown als connection established … but isn't anymore

IPSec shown als connection established … but isn't anymore

  • E

    Hi,

    I think since something changed in 2.2.? or newer, because there are some issues in IPSec I've never had before. I don't know excactly the version when the problems began, but I think including 2.2.0 I hadn't those problems. Before that time my IPSec vpn was rock-solid over years … even, wenn there was a problem and it has to be re-established outside of the normal rekeing interval. Since it's not the first time that i run in to that problem, here's the story ...

    A tunnel is already established betwenn an ASA 5510 and pfSense (actual version / static IPs / no NAT-T). Aussume that (because of a problem) the tunnel isn't anymore existing. ASA recognizes that and skips all it's SAs on Cisco side. The ASA is also configured not to initiate the tunnel, which means ASA side is just answering to connection requests from pfSense ...

    ... but pfSense is displaying the tunnel up and without a problem at the dashboard. Even if i look in "Status: IPSec" the P1 is displayed as "established". If i restart the IPSec service there, nothing changes. Tunnels are shown as up but aren't!

    DeadPeerDetection is activated and the P2 entry has an IP to which send pings.

    My ugly "solution" at the moment is to completely disable IPSec and then enable it again on pfSense.

    Does anybody has a clue what could be the problem? Is it something i have to configure in a other way or are there some issues? Why pfSense is meaning, that the tunnels are up ... DPD is activated!? I have this issue with 5 different pfSense boxes running on alix. 2.2.0 and before, there wasn't such a problem.

    Thx

    0
  • A

    I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out.

    If you stop and start the IPSec service instead of clicking restart, does that make a difference?  (Yes, that's not the same as a restart for some reason.)  It does for me.
    If you have a host behind pfSense send traffic over the tunnel to a host behind your ASA does IPSec traffic resume?

    0
  • E

    @almabes:

    If you stop and start the IPSec service instead of clicking restart, does that make a difference?  (Yes, that's not the same as a restart for some reason.)  It does for me.

    Ooops … sounds interesting. Maybe I can test this at the weekend. I can't enforce the situation now, cause its on a production system. On sunday there is a chance to do that ...

    @almabes:

    If you have a host behind pfSense send traffic over the tunnel to a host behind your ASA does IPSec traffic resume?

    No traffic is gone through the tunnel. No matter if I ping from client to client or from pfSense WebGUI to other IPSec Endpoint (ASA) or the clients in the net behind …?! And if i look in WebGUI ... tunnel seems to be up. But is definetifely not ... on Cisco ASA side, no more SAs there ...

    0
  • E

    If I just not restart … but explicit stop and then explicit start ... tunnel comes up again and is really up (not just shown up).

    0
  • E

    @almabes:

    I'm experiencing something similar, I think.  I have pfSense support engaged to help figure it out.

    Do you have any perceptions to that issue meanwhile?

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy