Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel not stable

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dnauk
      last edited by

      Hi All,

      I'm hoping someone can shed some light on this for me please…

      I've a pfSense instance in a DC. It has 10 IPSec tunnels 3 of which talk to another pfSense box. 1 of these pfSense to pfSense keeps dropping, from a couple of times a day to going nearly a week.

      I'm trying to bottom this out. It has its own public IP and its gateway is a Draytek ADSL2+ router. Tunnel details are the same at both ends.

      it has dropped twice today  :-\ attached is more info and IPSec config.

      System log on Problem site shows this every 10mins or so

      Nov 15 13:10:14 EPOSFirewall check_reload_status: updating dyndns GW_WAN
      Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting ipsec tunnels
      Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting OpenVPN tunnels/interfaces
      Nov 15 13:10:14 EPOSFirewall check_reload_status: Reloading filter
      Nov 15 13:10:14 EPOSFirewall check_reload_status: updating dyndns GW_WAN
      Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting ipsec tunnels
      Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting OpenVPN tunnels/interfaces
      Nov 15 13:10:14 EPOSFirewall check_reload_status: Reloading filter
      Nov 15 13:10:31 EPOSFirewall php-fpm[71723]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
      Nov 15 13:10:31 EPOSFirewall check_reload_status: Reloading filter
      Nov 15 13:10:31 EPOSFirewall php-fpm[79349]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
      Nov 15 13:10:31 EPOSFirewall check_reload_status: Reloading filter

      IPSec on problem log shows this every 10mins or so

      Nov 15 13:10:14 EPOSFirewall charon: 06[IKE] <con1000|39>sending DPD request
      Nov 15 13:10:14 EPOSFirewall charon: 06[ENC] <con1000|39>generating INFORMATIONAL_V1 request 1811332492 [ HASH N(DPD) ]
      Nov 15 13:10:14 EPOSFirewall charon: 06[NET] <con1000|39>sending packet: from SITE-IP[500] to DC-IP[500] (92 bytes)
      Nov 15 13:10:14 EPOSFirewall charon: 06[NET] <con1000|39>received packet: from DC-IP[500] to SITE-IP[500] (92 bytes)
      Nov 15 13:10:14 EPOSFirewall charon: 06[ENC] <con1000|39>parsed INFORMATIONAL_V1 request 1110810945 [ HASH N(DPD_ACK) ]
      Nov 15 13:10:24 EPOSFirewall charon: 06[NET] <con1000|39>received packet: from DC-IP[500] to SITE-IP[500] (92 bytes)
      Nov 15 13:10:24 EPOSFirewall charon: 06[ENC] <con1000|39>parsed INFORMATIONAL_V1 request 2524086590 [ HASH N(DPD) ]
      Nov 15 13:10:24 EPOSFirewall charon: 06[ENC] <con1000|39>generating INFORMATIONAL_V1 request 1163655834 [ HASH N(DPD_ACK) ]
      Nov 15 13:10:24 EPOSFirewall charon: 06[NET] <con1000|39>sending packet: from SITE-IP[500] to DC-IP[500] (92 bytes)
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading secrets
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG]  loaded IKE secret for %any DC-IP
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
      Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: unroute 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: shunt policy 'bypasslan' uninstalled
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
      Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] received stroke: delete connection 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] deleted connection 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: unroute 'con1000'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: configuration 'con1000' unrouted
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
      Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] received stroke: delete connection 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] deleted connection 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: add connection 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] added configuration 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 12[CFG] received stroke: route 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'bypasslan' shunt PASS policy installed
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: add connection 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] added configuration 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 12[CFG] received stroke: route 'con1000'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'con1000' routed
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading secrets
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG]  loaded IKE secret for %any DC-IP
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
      Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: unroute 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: shunt policy 'bypasslan' uninstalled
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: delete connection 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] deleted connection 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] received stroke: unroute 'con1000'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: configuration 'con1000' unrouted
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: delete connection 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] deleted connection 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] received stroke: add connection 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] added configuration 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: route 'bypasslan'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'bypasslan' shunt PASS policy installed
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: add connection 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] added configuration 'con1000'
      Nov 15 13:10:31 EPOSFirewall charon: 05[CFG] received stroke: route 'con1000'
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'con1000' routed
      Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:</con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39>

      Whatever causes the tunnel to die, it doesnt come back up within 5 mins so by that time im dialed back in and hitting reconnect. (the tunnel shows its up though, yet i cant ping across it)

      Also I'm using PRTG to monitor the ping on the gateway, the ADSL line is stable and doesn't drop.

      My other 2 pfSense boxes which connect via PPPoE dont show all this chatter and IPsec reloading…

      Any help much appreciated!!

      Cheers
      Dave.
      ![pf @ DC.PNG](/public/imported_attachments/1/pf @ DC.PNG)
      ![pf @ DC.PNG_thumb](/public/imported_attachments/1/pf @ DC.PNG_thumb)
      ![pf @ ProblemSite.PNG](/public/imported_attachments/1/pf @ ProblemSite.PNG)
      ![pf @ ProblemSite.PNG_thumb](/public/imported_attachments/1/pf @ ProblemSite.PNG_thumb)

      1 Reply Last reply Reply Quote 0
      • D
        dnauk
        last edited by

        I may have found my problem…looking like apinger and the draytek router.

        I'll report back if no avail.

        Cheers

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.