Tunnel not stable



  • Hi All,

    I'm hoping someone can shed some light on this for me please…

    I've a pfSense instance in a DC. It has 10 IPSec tunnels 3 of which talk to another pfSense box. 1 of these pfSense to pfSense keeps dropping, from a couple of times a day to going nearly a week.

    I'm trying to bottom this out. It has its own public IP and its gateway is a Draytek ADSL2+ router. Tunnel details are the same at both ends.

    it has dropped twice today  :-\ attached is more info and IPSec config.

    System log on Problem site shows this every 10mins or so

    Nov 15 13:10:14 EPOSFirewall check_reload_status: updating dyndns GW_WAN
    Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting ipsec tunnels
    Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting OpenVPN tunnels/interfaces
    Nov 15 13:10:14 EPOSFirewall check_reload_status: Reloading filter
    Nov 15 13:10:14 EPOSFirewall check_reload_status: updating dyndns GW_WAN
    Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting ipsec tunnels
    Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting OpenVPN tunnels/interfaces
    Nov 15 13:10:14 EPOSFirewall check_reload_status: Reloading filter
    Nov 15 13:10:31 EPOSFirewall php-fpm[71723]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Nov 15 13:10:31 EPOSFirewall check_reload_status: Reloading filter
    Nov 15 13:10:31 EPOSFirewall php-fpm[79349]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Nov 15 13:10:31 EPOSFirewall check_reload_status: Reloading filter

    IPSec on problem log shows this every 10mins or so

    Nov 15 13:10:14 EPOSFirewall charon: 06[IKE] <con1000|39>sending DPD request
    Nov 15 13:10:14 EPOSFirewall charon: 06[ENC] <con1000|39>generating INFORMATIONAL_V1 request 1811332492 [ HASH N(DPD) ]
    Nov 15 13:10:14 EPOSFirewall charon: 06[NET] <con1000|39>sending packet: from SITE-IP[500] to DC-IP[500] (92 bytes)
    Nov 15 13:10:14 EPOSFirewall charon: 06[NET] <con1000|39>received packet: from DC-IP[500] to SITE-IP[500] (92 bytes)
    Nov 15 13:10:14 EPOSFirewall charon: 06[ENC] <con1000|39>parsed INFORMATIONAL_V1 request 1110810945 [ HASH N(DPD_ACK) ]
    Nov 15 13:10:24 EPOSFirewall charon: 06[NET] <con1000|39>received packet: from DC-IP[500] to SITE-IP[500] (92 bytes)
    Nov 15 13:10:24 EPOSFirewall charon: 06[ENC] <con1000|39>parsed INFORMATIONAL_V1 request 2524086590 [ HASH N(DPD) ]
    Nov 15 13:10:24 EPOSFirewall charon: 06[ENC] <con1000|39>generating INFORMATIONAL_V1 request 1163655834 [ HASH N(DPD_ACK) ]
    Nov 15 13:10:24 EPOSFirewall charon: 06[NET] <con1000|39>sending packet: from SITE-IP[500] to DC-IP[500] (92 bytes)
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading secrets
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG]  loaded IKE secret for %any DC-IP
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: unroute 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: shunt policy 'bypasslan' uninstalled
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
    Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] received stroke: delete connection 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] deleted connection 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: unroute 'con1000'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: configuration 'con1000' unrouted
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
    Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] received stroke: delete connection 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] deleted connection 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: add connection 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] added configuration 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 12[CFG] received stroke: route 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'bypasslan' shunt PASS policy installed
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: add connection 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] added configuration 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 12[CFG] received stroke: route 'con1000'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'con1000' routed
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading secrets
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG]  loaded IKE secret for %any DC-IP
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
    Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: unroute 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: shunt policy 'bypasslan' uninstalled
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: delete connection 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] deleted connection 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] received stroke: unroute 'con1000'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: configuration 'con1000' unrouted
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: delete connection 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] deleted connection 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] received stroke: add connection 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] added configuration 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: route 'bypasslan'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'bypasslan' shunt PASS policy installed
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: add connection 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] added configuration 'con1000'
    Nov 15 13:10:31 EPOSFirewall charon: 05[CFG] received stroke: route 'con1000'
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'con1000' routed
    Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:</con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39>

    Whatever causes the tunnel to die, it doesnt come back up within 5 mins so by that time im dialed back in and hitting reconnect. (the tunnel shows its up though, yet i cant ping across it)

    Also I'm using PRTG to monitor the ping on the gateway, the ADSL line is stable and doesn't drop.

    My other 2 pfSense boxes which connect via PPPoE dont show all this chatter and IPsec reloading…

    Any help much appreciated!!

    Cheers
    Dave.
    ![pf @ DC.PNG](/public/imported_attachments/1/pf @ DC.PNG)
    ![pf @ DC.PNG_thumb](/public/imported_attachments/1/pf @ DC.PNG_thumb)
    ![pf @ ProblemSite.PNG](/public/imported_attachments/1/pf @ ProblemSite.PNG)
    ![pf @ ProblemSite.PNG_thumb](/public/imported_attachments/1/pf @ ProblemSite.PNG_thumb)



  • I may have found my problem…looking like apinger and the draytek router.

    I'll report back if no avail.

    Cheers


Log in to reply