IPSec VPN Dropping / Reconnect Issues



  • Hi,

    When it comes to VPNs I am very much a newbie, so it may be a really simple fix or a configuration issue. I currently have an IPSec VPN setup between two sites, one running PFSense and the other is configured on a Draytek Router. The VPN generally is working great, except that we have a disconnect / reconnect issue.

    Symptoms:

    • VPN will drop typically once a day, sometimes twice, sometimes not at all (or I am not notified of it happening and unaware)

    • There doesn’t seem to be a time frame pattern that is reliable enough to call a pattern.

    • The VPN will eventually re-establish by itself, on average in about 10minutes, but there have been occasions where it can take 45mins

    • When the VPN disconnects (I am usually at the PFSense location), I can log into PFSense and on the IPSec status page, I will notice the following: It will have a newly established connection, which majority of the time counts up to 12 seconds and then starts counting from 0 again. While this is happening, the Draytek side will not be pingable. If I manually stop the connection in progress or the service, the connection retries and a similar behaviour happens again most of the time. In the instances where this does not happen, when manually restarted it will connect instantly, I will be able to ping the Draytek side and the connection will look like its working, but then any amount of time from 0 - 180 seconds (but more often than not at the lower end of this timeframe) into the connection a second connection between the two sides shows up and after 12 seconds and one will fail and the ping/connection will drop and I am once again left with a single connection looping up to 12 seconds with a failing ping. If I terminate either of these two connections the ping/connection will also drop.

    • The only time the reconnection works is if I see a single connection start and no second connection appears. As soon as a second appears it is guaranteed to drop within 12 seconds

    I do have a configuration setup on both VPN endpoints, which I suspect may be causing the reconnect issues as they may be fighting to both reconnect? But this doesn’t appear to 100% correct in my eyes, as it appears that most of these simultaneous connection attempts are coming from the one side.

    Unsure if this is any help but I will sometimes receive the following summary information from the Draytek at the time of the issue. Usually it is 10 lines of the IKE_RELEASE, but either of the other two messages will show up once on occasion. This just may be email logs unrelated to the issue but triggered due to quantity of connection attempts made.
    IKE_RELEASE VPN : L2L Dial-in, Profile index = 1, Name = MLHO-ARPS, ifno = 10
    DropVPN() VPN : L2L Dial-out, Profile index = 1, Name = MLHO-ARPS, ifno = 9
    DropVPN() VPN : L2L Dial-in, Profile index = 1, Name = MLHO-ARPS, ifno = 10

    Attached are my PFsense and Draytek configs, as well as screenshots of the issues happening

    PFSense Version information:
    2.2.4-RELEASE (amd64)
    built on Sat Jul 25 19:57:37 CDT 2015
    FreeBSD 10.1-RELEASE-p15

    ![Draytek - Config IKE PreSharedKey Button.png](/public/imported_attachments/1/Draytek - Config IKE PreSharedKey Button.png)
    ![Draytek - Config IKE PreSharedKey Button.png_thumb](/public/imported_attachments/1/Draytek - Config IKE PreSharedKey Button.png_thumb)
    ![Draytek - Config.png](/public/imported_attachments/1/Draytek - Config.png)
    ![Draytek - Config.png_thumb](/public/imported_attachments/1/Draytek - Config.png_thumb)
    ![Example Issue 1.png](/public/imported_attachments/1/Example Issue 1.png)
    ![Example Issue 1.png_thumb](/public/imported_attachments/1/Example Issue 1.png_thumb)
    ![Example Issue 2.png](/public/imported_attachments/1/Example Issue 2.png)
    ![Example Issue 2.png_thumb](/public/imported_attachments/1/Example Issue 2.png_thumb)
    ![Example Issue 3.png](/public/imported_attachments/1/Example Issue 3.png)
    ![Example Issue 3.png_thumb](/public/imported_attachments/1/Example Issue 3.png_thumb)
    ![Example No Issue - Working.png](/public/imported_attachments/1/Example No Issue - Working.png)
    ![Example No Issue - Working.png_thumb](/public/imported_attachments/1/Example No Issue - Working.png_thumb)
    ![PFSense Config Main.png](/public/imported_attachments/1/PFSense Config Main.png)
    ![PFSense Config Main.png_thumb](/public/imported_attachments/1/PFSense Config Main.png_thumb)
    ![PFSense Config Phase 1.png](/public/imported_attachments/1/PFSense Config Phase 1.png)
    ![PFSense Config Phase 1.png_thumb](/public/imported_attachments/1/PFSense Config Phase 1.png_thumb)
    ![PFSense Config Phase 2.png](/public/imported_attachments/1/PFSense Config Phase 2.png)
    ![PFSense Config Phase 2.png_thumb](/public/imported_attachments/1/PFSense Config Phase 2.png_thumb)