IPSec tunnel will be reconnected every day

FCNiklas

Dear all,

we have established a site-to-site connection between two locations over an IPSec tunnel.
On both sites, we use a PFSense firewall with the latest version 2.2.6.

Since we have updated both PFSense firewalls to version 2.2.6, the IPSec tunnel
will be disconnected every morning and will be reconnected automatically after
some minutes.

We haven't changed anything at the configuration on both PFSense firewalls
and this issue didn't occur with previous versions of the PFSense.

I suspect that the new version of the PFSense firewall has a bug. Does
anyone have a solution for that?

There you will find an except from the system logs of our firewalls:

Feb 15 01:50:03 check_reload_status: Reloading filter
Feb 15 01:50:03 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 15 01:50:03 check_reload_status: Restarting ipsec tunnels
Feb 15 01:50:03 check_reload_status: updating dyndns GATEWAY

Thanks in advance for you help and best regards,
Niklas

jameelzzz

Did you check the lifetime of your VPN tunnel ?? in Phase1 and Phase2 ?

FCNiklas

Hi jameelzzz,

Thanks for your response.

Both firewalls have the same lifetimes in Phase 1 and Phase 2:

Phase 1: 28800 seconds
Phase 2: 3600 seconds

But before the update to version 2.2.6, we have also defined these lifetimes
and the IPSec tunnel worked like a charm. Any other idea?

Thanks in advance and best regards,
Niklas

jameelzzz

As I know, this lifetime is the idle time until the VPN will disconnect, so maybe when you upgraded, some of the traffic which flow through the VPN and keep it alive was stopped somehow.

I'm not sure it this is the reason, and I have really no more ideas :)

FCNiklas

So far as i know, is there difference between the lifetime of Phase 1 and Phase 2.

The lifetime in Phase 1 specifies the time period for the build of Phase 1.
The lifetime in Phase 2 specifies the time period for the negotiated keys.

I don't think that the problem comes from the traffic during the upgrade.
The reconnect of the IPSec tunnel happens at first on location 1 and few
hours later on location 2.

In addition we haven't changed anything at the configuration on both firewalls.

Does anyone has another idea to solve this issue?

Currently we have only the possibility to wait for a new PFSense version and to
hope that the issue was solved after upgrade. We also think about to downgrade
the PFSense version again…

dboe732

i've been having similar problem since upgrading the latest version. In my case though i have to reconnect it manually. was fine on 2.2.5 and nothing has changed

FCNiklas

Hi dboe732,

our IPSec connection will reconnect automatically.

Has nobody an idea to solve the issue?
Or does someone know, when the next version will be published
of the PFSense?

Thanks in advance.

cmb

The logs in your first post make it look like that happens after your WAN IP changes, or maybe just a WAN reconnection or renewal. Is that the case?

FCNiklas

Hi cmb,

thanks for your response at first.

We have static public ip addresses, which were not changed before.

But i have found the following entries in our Gateway log on both PFSense firewalls:

Feb 19 10:35:03 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
Feb 19 10:34:54 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
Feb 19 07:02:50 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
Feb 19 07:02:41 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
Feb 18 15:24:25 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
Feb 18 15:24:23 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
Feb 18 15:20:55 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
Feb 18 15:19:44 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
Feb 18 13:04:33 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** delay ***
Feb 18 13:04:24 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** delay ***
Feb 18 12:31:08 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
Feb 18 12:30:03 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***
Feb 18 11:49:13 apinger: alarm canceled: GATEWAY(XX.XX.XX.XX) *** down ***
Feb 18 11:18:36 apinger: ALARM: GATEWAY(XX.XX.XX.XX) *** down ***

Could it be that the public ip addresses gets a new lease time at the provider, which caused
the connection issues?

Thanks in advance.

Guest

Sorry for jumping in here but something is not really clear to me, based on the logfiles and statements.

Feb 15 01:50:03    check_reload_status: Restarting OpenVPN tunnels/interfaces

So OpenVPN is used here in that case

Feb 15 01:50:03    check_reload_status: Restarting ipsec tunnels

Is OpenVPN using here an IPSec tunnel? In normal as I know it, you will be using OpenVPn or IPSec,
is this right or am I wrong with this?

Feb 15 01:50:03    check_reload_status: updating dyndns GATEWAY

And if a public static IP address is there in use, why then using DynDNS?

Sorry for this nOOp questions, but I am interested in this case really.

FCNiklas

Hi BlueKobold,

we don't use OpenVPN on the PFSense. We only use IPSec.
I don't know, why it will be displayed in the logs.

The same is the gateway. We have a static public IP address
and don't use a dyndns gateway.

Guest

we don't use OpenVPN on the PFSense. We only use IPSec.
I don't know, why it will be displayed in the logs.

The same is the gateway. We have a static public IP address
and don't use a dyndns gateway.

Oh ok thank you for providing this information, I was a little bit confused on this entries and was
not really able what I should think on, thanks again for the clarification on this.

I have another one for you, you where telling us that all was running fine for you and also
the VPN connections before upgrading to a higher pfSense version, is this right? Perhaps,
only perhaps I mean you or somebody was doing or making custom set up entries and after
the update or upgrade was done all files was new written and this custom made settings were
gone. And now the set up is not really fine working because the custom entries are not there.

Could this be?

FCNiklas

No problem BlueKobold. Thanks for your response.

Yes you are right. Before the upgrade to version 2.2.6,
the PFSense was fine. We only have upgraded the PFSense
to the latest version, but didn't changed anything in the configuration.

After the upgrade the IPSec tunnel was disconnect every two
days in the morning and the detection of the gateway had also
a delay.

Now i try to find out, if the latest version of PFSense has a bug
or the modem of the ISP is defect. But i still think that the
PFSense has a bug, because the IPSec issue did not occur
in the versions before.

Has anyone the same issue with IPSec in the latest version?

MaxHeadroom

Hi,

in my log it's look the same, apinger warn with  delay when there is a high throuput on wan if
also ipsec restart on a aping delay but comes up again

regards max

FCNiklas

Hi Max,

Thanks for your reply.

Do you have this issues also with version 2.2.6?
If yes, it would be interesting to know how you
got it fixed.

Thanks and best regards,
Niklas

MaxHeadroom

Hi FCNiklas,

yes runnning  on 2.2.6. For me it's not a big problem because of using ipsec tunnel very less.

I think the problem will gone if
System: Gateways: Edit gateway
Disable Gateway Monitoring  <- if not required because of fixed wan ip & no failover gateway

or

tuning the parameters "Advanced"

regards

max

FCNiklas

Hi Max,

thanks for the information.

I have checked both PFSense firewalls and found out that
the option "Disable Gateway Monitoring" is not checked on
both Firewalls.

If i understand it correctly, the option only means that the
WAN IP will not be monitored again. That would be a workaround
to get no warnings in the system logs, but the issue would not fixed
by this.

What do you also mean with tuning the parameters "Advanced"?

Thanks for your help in advance.

Best regards,
Niklas

Guest

In the IPSec VPN settings is there enabled MSS clamping?

FCNiklas

Hi BlueKobold,

no MSS clamping is not enabled on both PFSense Firewalls.

Has it something to do with the restart of the ipscec service?

It seems that the ipsec tunnel restarts more than before.

Here are the gateway logs again:

Feb 29 04:08:35 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 29 04:08:25 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 29 04:03:02 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 29 04:02:52 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 22:34:14 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 22:34:04 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:43:20 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:43:10 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:38:28 apinger: alarm canceled: GATEWAY (PUBLIC IP) *** delay ***
Feb 28 21:38:19 apinger: ALARM: GATEWAY (PUBLIC IP) *** delay ***

… and the general logs:

Feb 29 04:08:52 php-fpm[87448]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 29 04:08:47 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:08:45 check_reload_status: Reloading filter
Feb 29 04:08:45 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:08:45 check_reload_status: Restarting ipsec tunnels
Feb 29 04:08:45 check_reload_status: updating dyndns GATEWAY
Feb 29 04:08:37 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:08:35 check_reload_status: Reloading filter
Feb 29 04:08:35 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:08:35 check_reload_status: Restarting ipsec tunnels
Feb 29 04:08:35 check_reload_status: updating dyndns GATEWAY
Feb 29 04:03:29 php-fpm[31063]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 29 04:03:28 check_reload_status: Reloading filter
Feb 29 04:03:28 php-fpm[31063]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 29 04:03:20 php-fpm[31351]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 29 04:03:19 check_reload_status: Reloading filter
Feb 29 04:03:19 php-fpm[28708]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 29 04:03:14 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:12 check_reload_status: Reloading filter
Feb 29 04:03:12 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:03:12 check_reload_status: Restarting ipsec tunnels
Feb 29 04:03:12 check_reload_status: updating dyndns GATEWAY
Feb 29 04:03:04 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 29 04:03:02 check_reload_status: Reloading filter
Feb 29 04:03:02 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 29 04:03:02 check_reload_status: Restarting ipsec tunnels
Feb 29 04:03:02 check_reload_status: updating dyndns GATEWAY
Feb 28 22:34:41 php-fpm[84783]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 22:34:40 check_reload_status: Reloading filter
Feb 28 22:34:40 php-fpm[84783]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 22:34:32 php-fpm[84984]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 22:34:31 check_reload_status: Reloading filter
Feb 28 22:34:31 php-fpm[81028]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 22:34:26 php-fpm[83939]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:24 check_reload_status: Reloading filter
Feb 28 22:34:24 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 22:34:24 check_reload_status: Restarting ipsec tunnels
Feb 28 22:34:24 check_reload_status: updating dyndns GATEWAY
Feb 28 22:34:17 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 22:34:14 check_reload_status: Reloading filter
Feb 28 22:34:14 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 22:34:14 check_reload_status: Restarting ipsec tunnels
Feb 28 22:34:14 check_reload_status: updating dyndns GATEWAY
Feb 28 21:43:47 php-fpm[79683]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:43:46 check_reload_status: Reloading filter
Feb 28 21:43:46 php-fpm[79683]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:43:38 php-fpm[79969]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:43:37 check_reload_status: Reloading filter
Feb 28 21:43:37 php-fpm[77158]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:43:32 php-fpm[78791]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:30 check_reload_status: Reloading filter
Feb 28 21:43:30 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:43:30 check_reload_status: Restarting ipsec tunnels
Feb 28 21:43:30 check_reload_status: updating dyndns GATEWAY
Feb 28 21:43:22 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:43:20 check_reload_status: Reloading filter
Feb 28 21:43:20 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:43:20 check_reload_status: Restarting ipsec tunnels
Feb 28 21:43:20 check_reload_status: updating dyndns GATEWAY
Feb 28 21:38:56 php-fpm[32154]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:38:55 check_reload_status: Reloading filter
Feb 28 21:38:55 php-fpm[32154]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:38:47 php-fpm[32862]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.
Feb 28 21:38:46 check_reload_status: Reloading filter
Feb 28 21:38:46 php-fpm[28538]: /rc.newipsecdns: IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.
Feb 28 21:38:41 php-fpm[30309]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:38 check_reload_status: Reloading filter
Feb 28 21:38:38 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:38:38 check_reload_status: Restarting ipsec tunnels
Feb 28 21:38:38 check_reload_status: updating dyndns GATEWAY
Feb 28 21:38:31 php-fpm[89447]: /rc.filter_configure_sync: Not installing NAT reflection rules for a port range > 500
Feb 28 21:38:29 check_reload_status: Reloading filter
Feb 28 21:38:29 check_reload_status: Restarting OpenVPN tunnels/interfaces
Feb 28 21:38:29 check_reload_status: Restarting ipsec tunnels
Feb 28 21:38:29 check_reload_status: updating dyndns GATEWAY

Its a very strange issue and it is inexplicable to me, what causes this issue,
because we haven't changed anything at the configuration of the IPSec settings.

Thanks in advance and best regards,
Niklas

Guest

Not installing NAT reflection rules for a port range > 500

Something is trying to get from the internal LAN through the WAN interface to connect in
the DMZ or LAN homed Servers and there are no rules for NAT reflection (Hairpin NAT)
could this be a problem too?

IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.

Is there in the other LAN perhaps something likes an enabled DHCP Server that is giving
new IP addresses to servers or other devices that should be sorted more with static IP addresses?