IPSec tunnel will be reconnected every day



  • Dear all,

    we have established a site-to-site connection between two locations over an IPSec tunnel.
    On both sites, we use a PFSense firewall with the latest version 2.2.6.

    Since we have updated both PFSense firewalls to version 2.2.6, the IPSec tunnel
    will be disconnected every morning and will be reconnected automatically after
    some minutes.

    We haven't changed anything at the configuration on both PFSense firewalls
    and this issue didn't occur with previous versions of the PFSense.

    I suspect that the new version of the PFSense firewall has a bug. Does
    anyone have a solution for that?

    There you will find an except from the system logs of our firewalls:

    Feb 15 01:50:03 check_reload_status: Reloading filter
    Feb 15 01:50:03 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 15 01:50:03 check_reload_status: Restarting ipsec tunnels
    Feb 15 01:50:03 check_reload_status: updating dyndns GATEWAY

    Thanks in advance for you help and best regards,
    Niklas



  • Did you check the lifetime of your VPN tunnel ?? in Phase1 and Phase2 ?



  • Hi jameelzzz,

    Thanks for your response.

    Both firewalls have the same lifetimes in Phase 1 and Phase 2:

    Phase 1: 28800 seconds
    Phase 2: 3600 seconds

    But before the update to version 2.2.6, we have also defined these lifetimes
    and the IPSec tunnel worked like a charm. Any other idea?

    Thanks in advance and best regards,
    Niklas



  • As I know, this lifetime is the idle time until the VPN will disconnect, so maybe when you upgraded, some of the traffic which flow through the VPN and keep it alive was stopped somehow.

    I'm not sure it this is the reason, and I have really no more ideas :)



  • So far as i know, is there difference between the lifetime of Phase 1 and Phase 2.

    The lifetime in Phase 1 specifies the time period for the build of Phase 1.
    The lifetime in Phase 2 specifies the time period for the negotiated keys.

    I don't think that the problem comes from the traffic during the upgrade.
    The reconnect of the IPSec tunnel happens at first on location 1 and few
    hours later on location 2.

    In addition we haven't changed anything at the configuration on both firewalls.

    Does anyone has another idea to solve this issue?

    Currently we have only the possibility to wait for a new PFSense version and to
    hope that the issue was solved after upgrade. We also think about to downgrade
    the PFSense version again…



  • i've been having similar problem since upgrading the latest version. In my case though i have to reconnect it manually. was fine on 2.2.5 and nothing has changed



  • Hi dboe732,

    our IPSec connection will reconnect automatically.

    Has nobody an idea to solve the issue?
    Or does someone know, when the next version will be published
    of the PFSense?

    Thanks in advance.



  • The logs in your first post make it look like that happens after your WAN IP changes, or maybe just a WAN reconnection or renewal. Is that the case?



  • Hi cmb,

    thanks for your response at first.

    We have static public ip addresses, which were not changed before.

    But i have found the following entries in our Gateway log on both PFSense firewalls:

    Feb 19 10:35:03 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
    Feb 19 10:34:54 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
    Feb 19 07:02:50 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
    Feb 19 07:02:41 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
    Feb 18 15:24:25 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
    Feb 18 15:24:23 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
    Feb 18 15:20:55 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
    Feb 18 15:19:44 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
    Feb 18 13:04:33 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
    Feb 18 13:04:24 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
    Feb 18 12:31:08 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
    Feb 18 12:30:03 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
    Feb 18 11:49:13 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
    Feb 18 11:18:36 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***

    Could it be that the public ip addresses gets a new lease time at the provider, which caused
    the connection issues?

    Thanks in advance.



  • Sorry for jumping in here but something is not really clear to me, based on the logfiles and statements.

    Feb 15 01:50:03    check_reload_status: Restarting OpenVPN tunnels/interfaces

    So OpenVPN is used here in that case

    Feb 15 01:50:03    check_reload_status: Restarting ipsec tunnels

    Is OpenVPN using here an IPSec tunnel? In normal as I know it, you will be using OpenVPn or IPSec,
    is this right or am I wrong with this?

    Feb 15 01:50:03    check_reload_status: updating dyndns GATEWAY

    And if a public static IP address is there in use, why then using DynDNS?

    Sorry for this nOOp questions, but I am interested in this case really.



  • Hi BlueKobold,

    we don't use OpenVPN on the PFSense. We only use IPSec.
    I don't know, why it will be displayed in the logs.

    The same is the gateway. We have a static public IP address
    and don't use a dyndns gateway.



  • we don't use OpenVPN on the PFSense. We only use IPSec.
    I don't know, why it will be displayed in the logs.

    The same is the gateway. We have a static public IP address
    and don't use a dyndns gateway.

    Oh ok thank you for providing this information, I was a little bit confused on this entries and was
    not really able what I should think on, thanks again for the clarification on this.

    I have another one for you, you where telling us that all was running fine for you and also
    the VPN connections before upgrading to a higher pfSense version, is this right? Perhaps,
    only perhaps I mean you or somebody was doing or making custom set up entries and after
    the update or upgrade was done all files was new written and this custom made settings were
    gone. And now the set up is not really fine working because the custom entries are not there.

    Could this be?



  • No problem BlueKobold. Thanks for your response.

    Yes you are right. Before the upgrade to version 2.2.6,
    the PFSense was fine. We only have upgraded the PFSense
    to the latest version, but didn't changed anything in the configuration.

    After the upgrade the IPSec tunnel was disconnect every two
    days in the morning and the detection of the gateway had also
    a delay.

    Now i try to find out, if the latest version of PFSense has a bug
    or the modem of the ISP is defect. But i still think that the
    PFSense has a bug, because the IPSec issue did not occur
    in the versions before.

    Has anyone the same issue with IPSec in the latest version?



  • Hi,

    in my log it's look the same, apinger warn with  delay when there is a high throuput on wan if
    also ipsec restart on a aping delay but comes up again

    regards max



  • Hi Max,

    Thanks for your reply.

    Do you have this issues also with version 2.2.6?
    If yes, it would be interesting to know how you
    got it fixed.

    Thanks and best regards,
    Niklas



  • Hi FCNiklas,

    yes runnning  on 2.2.6. For me it's not a big problem because of using ipsec tunnel very less.

    I think the problem will gone if
    System: Gateways: Edit gateway
    Disable Gateway Monitoring  <- if not required because of fixed wan ip & no failover gateway

    or

    tuning the parameters "Advanced"

    regards

    max



  • Hi Max,

    thanks for the information.

    I have checked both PFSense firewalls and found out that
    the option "Disable Gateway Monitoring" is not checked on
    both Firewalls.

    If i understand it correctly, the option only means that the
    WAN IP will not be monitored again. That would be a workaround
    to get no warnings in the system logs, but the issue would not fixed
    by this.

    What do you also mean with tuning the parameters "Advanced"?

    Thanks for your help in advance.

    Best regards,
    Niklas



  • In the IPSec VPN settings is there enabled MSS clamping?



  • Hi BlueKobold,

    no MSS clamping is not enabled on both PFSense Firewalls.

    Has it something to do with the restart of the ipscec service?

    It seems that the ipsec tunnel restarts more than before.

    Here are the gateway logs again:

    Feb 29 04:08:35 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
    Feb 29 04:08:25 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
    Feb 29 04:03:02 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
    Feb 29 04:02:52 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
    Feb 28 22:34:14 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
    Feb 28 22:34:04 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
    Feb 28 21:43:20 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
    Feb 28 21:43:10 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
    Feb 28 21:38:28 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
    Feb 28 21:38:19 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***

    … and the general logs:

    Feb 29 04:08:52 php-fpm[87448]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 29 04:08:47 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 29 04:08:45 check_reload_status: Reloading filter
    Feb 29 04:08:45 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 29 04:08:45 check_reload_status: Restarting ipsec tunnels
    Feb 29 04:08:45 check_reload_status: updating dyndns GATEWAY
    Feb 29 04:08:37 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 29 04:08:35 check_reload_status: Reloading filter
    Feb 29 04:08:35 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 29 04:08:35 check_reload_status: Restarting ipsec tunnels
    Feb 29 04:08:35 check_reload_status: updating dyndns GATEWAY
    Feb 29 04:03:29 php-fpm[31063]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 29 04:03:28 check_reload_status: Reloading filter
    Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 29 04:03:20 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 29 04:03:19 check_reload_status: Reloading filter
    Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 29 04:03:14 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 29 04:03:12 check_reload_status: Reloading filter
    Feb 29 04:03:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 29 04:03:12 check_reload_status: Restarting ipsec tunnels
    Feb 29 04:03:12 check_reload_status: updating dyndns GATEWAY
    Feb 29 04:03:04 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 29 04:03:02 check_reload_status: Reloading filter
    Feb 29 04:03:02 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 29 04:03:02 check_reload_status: Restarting ipsec tunnels
    Feb 29 04:03:02 check_reload_status: updating dyndns GATEWAY
    Feb 28 22:34:41 php-fpm[84783]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 28 22:34:40 check_reload_status: Reloading filter
    Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 28 22:34:32 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 28 22:34:31 check_reload_status: Reloading filter
    Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 28 22:34:26 php-fpm[83939]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 22:34:24 check_reload_status: Reloading filter
    Feb 28 22:34:24 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 28 22:34:24 check_reload_status: Restarting ipsec tunnels
    Feb 28 22:34:24 check_reload_status: updating dyndns GATEWAY
    Feb 28 22:34:17 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 22:34:14 check_reload_status: Reloading filter
    Feb 28 22:34:14 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 28 22:34:14 check_reload_status: Restarting ipsec tunnels
    Feb 28 22:34:14 check_reload_status: updating dyndns GATEWAY
    Feb 28 21:43:47 php-fpm[79683]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 28 21:43:46 check_reload_status: Reloading filter
    Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 28 21:43:38 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 28 21:43:37 check_reload_status: Reloading filter
    Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 28 21:43:32 php-fpm[78791]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:43:30 check_reload_status: Reloading filter
    Feb 28 21:43:30 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 28 21:43:30 check_reload_status: Restarting ipsec tunnels
    Feb 28 21:43:30 check_reload_status: updating dyndns GATEWAY
    Feb 28 21:43:22 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:43:20 check_reload_status: Reloading filter
    Feb 28 21:43:20 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 28 21:43:20 check_reload_status: Restarting ipsec tunnels
    Feb 28 21:43:20 check_reload_status: updating dyndns GATEWAY
    Feb 28 21:38:56 php-fpm[32154]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 28 21:38:55 check_reload_status: Reloading filter
    Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 28 21:38:47 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
    Feb 28 21:38:46 check_reload_status: Reloading filter
    Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    Feb 28 21:38:41 php-fpm[30309]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:38:38 check_reload_status: Reloading filter
    Feb 28 21:38:38 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 28 21:38:38 check_reload_status: Restarting ipsec tunnels
    Feb 28 21:38:38 check_reload_status: updating dyndns GATEWAY
    Feb 28 21:38:31 php-fpm[89447]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
    Feb 28 21:38:29 check_reload_status: Reloading filter
    Feb 28 21:38:29 check_reload_status: Restarting OpenVPN tunnels/interfaces
    Feb 28 21:38:29 check_reload_status: Restarting ipsec tunnels
    Feb 28 21:38:29 check_reload_status: updating dyndns GATEWAY

    Its a very strange issue and it is inexplicable to me, what causes this issue,
    because we haven't changed anything at the configuration of the IPSec settings.

    Thanks in advance and best regards,
    Niklas



  • Not installing NAT reflection rules for a port range > 500
    

    Something is trying to get from the internal LAN through the WAN interface to connect in
    the DMZ or LAN homed Servers and there are no rules for NAT reflection (Hairpin NAT)
    could this be a problem too?

    IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
    

    Is there in the other LAN perhaps something likes an enabled DHCP Server that is giving
    new IP addresses to servers or other devices that should be sorted more with static IP addresses?