Tunnel not stable

dnauk

Hi All,

I'm hoping someone can shed some light on this for me please…

I've a pfSense instance in a DC. It has 10 IPSec tunnels 3 of which talk to another pfSense box. 1 of these pfSense to pfSense keeps dropping, from a couple of times a day to going nearly a week.

I'm trying to bottom this out. It has its own public IP and its gateway is a Draytek ADSL2+ router. Tunnel details are the same at both ends.

it has dropped twice today  :-\ attached is more info and IPSec config.

System log on Problem site shows this every 10mins or so

Nov 15 13:10:14 EPOSFirewall check_reload_status: updating dyndns GW_WAN
Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting ipsec tunnels
Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting OpenVPN tunnels/interfaces
Nov 15 13:10:14 EPOSFirewall check_reload_status: Reloading filter
Nov 15 13:10:14 EPOSFirewall check_reload_status: updating dyndns GW_WAN
Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting ipsec tunnels
Nov 15 13:10:14 EPOSFirewall check_reload_status: Restarting OpenVPN tunnels/interfaces
Nov 15 13:10:14 EPOSFirewall check_reload_status: Reloading filter
Nov 15 13:10:31 EPOSFirewall php-fpm[71723]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Nov 15 13:10:31 EPOSFirewall check_reload_status: Reloading filter
Nov 15 13:10:31 EPOSFirewall php-fpm[79349]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Nov 15 13:10:31 EPOSFirewall check_reload_status: Reloading filter

IPSec on problem log shows this every 10mins or so

Nov 15 13:10:14 EPOSFirewall charon: 06[IKE] <con1000|39>sending DPD request
Nov 15 13:10:14 EPOSFirewall charon: 06[ENC] <con1000|39>generating INFORMATIONAL_V1 request 1811332492 [ HASH N(DPD) ]
Nov 15 13:10:14 EPOSFirewall charon: 06[NET] <con1000|39>sending packet: from SITE-IP[500] to DC-IP[500] (92 bytes)
Nov 15 13:10:14 EPOSFirewall charon: 06[NET] <con1000|39>received packet: from DC-IP[500] to SITE-IP[500] (92 bytes)
Nov 15 13:10:14 EPOSFirewall charon: 06[ENC] <con1000|39>parsed INFORMATIONAL_V1 request 1110810945 [ HASH N(DPD_ACK) ]
Nov 15 13:10:24 EPOSFirewall charon: 06[NET] <con1000|39>received packet: from DC-IP[500] to SITE-IP[500] (92 bytes)
Nov 15 13:10:24 EPOSFirewall charon: 06[ENC] <con1000|39>parsed INFORMATIONAL_V1 request 2524086590 [ HASH N(DPD) ]
Nov 15 13:10:24 EPOSFirewall charon: 06[ENC] <con1000|39>generating INFORMATIONAL_V1 request 1163655834 [ HASH N(DPD_ACK) ]
Nov 15 13:10:24 EPOSFirewall charon: 06[NET] <con1000|39>sending packet: from SITE-IP[500] to DC-IP[500] (92 bytes)
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading secrets
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG]  loaded IKE secret for %any DC-IP
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Nov 15 13:10:31 EPOSFirewall charon: 06[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: unroute 'bypasslan'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: shunt policy 'bypasslan' uninstalled
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] received stroke: delete connection 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] deleted connection 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: unroute 'con1000'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: configuration 'con1000' unrouted
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] received stroke: delete connection 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 16[CFG] deleted connection 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: add connection 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] added configuration 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 12[CFG] received stroke: route 'bypasslan'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'bypasslan' shunt PASS policy installed
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] received stroke: add connection 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] added configuration 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 12[CFG] received stroke: route 'con1000'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'con1000' routed
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading secrets
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG]  loaded IKE secret for %any DC-IP
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Nov 15 13:10:31 EPOSFirewall charon: 15[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: unroute 'bypasslan'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: shunt policy 'bypasslan' uninstalled
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: delete connection 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] deleted connection 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] received stroke: unroute 'con1000'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: configuration 'con1000' unrouted
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: delete connection 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] deleted connection 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] received stroke: add connection 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 08[CFG] added configuration 'bypasslan'
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: route 'bypasslan'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'bypasslan' shunt PASS policy installed
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] received stroke: add connection 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 10[CFG] added configuration 'con1000'
Nov 15 13:10:31 EPOSFirewall charon: 05[CFG] received stroke: route 'con1000'
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]: 'con1000' routed
Nov 15 13:10:31 EPOSFirewall ipsec_starter[26047]:</con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39></con1000|39>

Whatever causes the tunnel to die, it doesnt come back up within 5 mins so by that time im dialed back in and hitting reconnect. (the tunnel shows its up though, yet i cant ping across it)

Also I'm using PRTG to monitor the ping on the gateway, the ADSL line is stable and doesn't drop.

My other 2 pfSense boxes which connect via PPPoE dont show all this chatter and IPsec reloading…

Any help much appreciated!!

Cheers
Dave.

dnauk

I may have found my problem…looking like apinger and the draytek router.

I'll report back if no avail.

Cheers