Rekeying Issue with Draytek routers

papa_joe · Jan 20, 2016, 7:19 AM

Hi.

I have some trouble with IPsec connection between pfsense and Draytek routers (2910, 2830, 2860, 2925). I have figured out, that the rekeying after 3600s (defined in both) are the problem. The pfsense begin send the rekeying attempt about 900s before expire, but the Drayteks doesn't recognise it. After a few (3 or 5?) tries, the connection is reset and get new established. This results in 5s paket loss for the clients.

Because of this, I changed the setting so that the draytek can initiate the rekeying first. The Drayteks do start the rekeying about 300s before expire. I have set keylife to 3600s in Draytek and 4500s in pfsense. This works, but is a strange workaround.

Are there any suggestions or knowledge in vpn between pfsense an Draytek out there?

What are the defaults of rekeying parameters in pfsense? Can they be changed by me? The only thing I found in pfsense was to enable or disable the rekeying for the connection, but disable the rekeying will also stop respond to the draytek rekeying attempts, so I let in switched on.

Need some help ;)

jonathanbaird · Mar 27, 2016, 11:42 AM

Glad I've come across this as I'm running into exactly the same issue. I'm trying to create 6 VPN tunnels from DrayTek routers at multiple sites back to the pfSense firewall. It seems if you set the DrayTek to "Both" instead of "Dial Out" the connection stays up for longer, although I did notice the tunnel was down completely this morning.

Did you ever find a fix for this?

jonathanbaird · Mar 28, 2016, 8:02 PM

The only thing I found in pfsense was to enable or disable the rekeying for the connection, but disable the rekeying will also stop respond to the draytek rekeying attempts, so I let in switched on.

This is not strictly true, looking at https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection it states the following.

rekey = yes | no

whether a connection should be renegotiated when it is about to expire. The two ends need not agree, but
while a value of no prevents the daemon from requesting renegotiation, it does not prevent responding
to renegotiation requested from the other end, so no will be largely ineffective unless both ends agree on it.
Also see reauth.

Based on this, I found that checking 'Disable Rekey' under 'Advanced Options' forces the DrayTek to handle the renegotiations for both Phase 1 and Phase 2 and everything runs fine. Not sure if this is fixed in pfSense 2.3 as this contains the upgrade to strongSwan 5.4.0.

Maybe this was a misconfiguration on my side, I'm not sure and I've spent far too long working on it already so as this works I'm leaving as it is! :)

jonathanbaird · Mar 30, 2016, 10:54 AM

I can confirm this is still an issue in 2.3-BETA :( Suppose we will have to wait and see if DrayTek ever release a firmware update for this…

papa_joe · Mar 30, 2016, 5:04 PM

Hi jonathanbaird,

sorry for late response. I'll try to explain some things, but english is not my native language. :-\

I know the wiki section you quote and hoped this will solve the problem, but this doesn't seem to work like proposed. When I disable the rekeying on pfsense, also the draytek does no rekeying for phase 1 oder 2. Because of this I had changed to my workaround as described.

I suspect, I can't fully understand you. Does checking "disable rekeying" work for you, or not? If yes, what should be fixed in 2.3 ?

The draytek support is quite good, so I think with the right input they will have an eye on the issue. But I can't tell them things I don't understand for myself in detail.

So I hope we can figure out whats going wrong …

jonathanbaird · Mar 31, 2016, 11:51 AM

Hi,

Thanks for your response, I am currently still working on this. I have managed to get a stable tunnel, however the issue I am now facing is there are multiple SPI entries in the Security Association Database (IPsec: SAD). I have created a new thread here.

https://forum.pfsense.org/index.php?topic=109044.0

I suspect, I can't fully understand you. Does checking "disable rekeying" work for you, or not? If yes, what should be fixed in 2.3 ?

Yes disable rekeying forces the DrayTek to handle the rekeying, however it causes an issue on the pfSense side as it leaves a dormant SPI entry for the previous IPsec SA and the SAD just grows and grows.

Where are you up to with this on your side - have you managed to make any progress at all? I cannot believe that nobody as managed to successfully set up a stable IPsec VPN between a DrayTek Vigor and pfSense! >:(

jonathanbaird · Apr 3, 2016, 10:50 PM

OK after a good few days of banging my head against a wall I've got this working. If you're still struggling with this let me know and I'll gladly assist.

papa_joe · Apr 4, 2016, 6:09 AM

Sure, let's talk about. I would be very interested in.

jonathanbaird · Apr 4, 2016, 10:54 AM

Ok. First things first the DrayTek call direction MUST be set 'Both'. No matter what I tried I could not get this to work with it being 'Dial-Out'. You will also need to set the 'Idle Timeout' to 0 which will keep the tunnel up indefinitely. As the call direction is set to both, make sure you fill in '3. Dial-In Settings' so the pfSense can renegotiate the tunnel where required. My phase 1 lifetime is set to 28800 seconds and my phase 2 lifetime is set to 3600 seconds.

On the pfSense, make sure that 'Key Exchange version' is set to 'V1'. I found that leaving this to 'Auto' broke the tunnel as pfSense tried to reinitialize the tunnel using IKE V2 by default, and DrayTek only supports IKE V1. That's all I really needed to set of the pfSense side. Under 'Avdanced Options' I have left both 'Disable Rekey' and 'Responder Only' unchecked but have 'Dead Peer Detection' enabled. My phase 1 lifetime is set to 28800 seconds and my phase 2 lifetime is set to 3600 seconds.

This setup does mean you need to bring the tunnel up manually, however if either side receives any traffic for the remote network either peer will be able to bring the tunnel up. Once the tunnel is up, it will remain stable regardless of wether or not any traffic passes through it.

This should fix the issue and you should have a stable VPN tunnel, you can check this by looking at the 'UpTime' on the DrayTek under 'VPN and Remote Access' > 'Connection Management' > 'UpTime'. My tunnel has been up for over 48 hours now whereas previously I this was disconnecting constantly.

If you're still struggling with this, if you are happy to provide me access to both a DrayTek and the pfSense, I am happy to take a look at this for you.

Hope this helps!