Dead Peer Detection



  • I don't know if everyone else has encountered this, but I recently had a problem where if one of my pfSense firewalls was restarted for whatever reason, the other pfSenses on the other ends of the VPN tunnels wouldn't recognise this. They would keep the old SA up and not negotiate any new ones, causing a failure to pass any traffic over the VPN. The only fix was to manually delete the entries from the SAD on these other firewalls so it would make a fresh tunnel again.

    After reading around a bit, I saw an option for the racoon.conf that would turn on Dead Peer Detection, and figured I'd give that a try. In /etc/inc/vpn.inc, after each line saying proposal_check obey;, I added a line dpd_delay 20;. Then restarted racoon on each firewall, restarted one of the firewalls on its own and found that it renegotiated the tunnels straight away!

    Anyway just a suggestion, I think this would be a useful option to add to pfSense.



  • Do you know if PfSense will overwrite your modifications if you change anything through the GUI?  I would love to implement this feature, but I am afraid it will get destroyed on the first GUI change…



  • after further review I see that vpn.inc is NOT a configuration file, but a PHP script… please disregard my last post.

    thanks,
    Geoff



  • Check out IPSec config on the new 1.3AlphaAlpha builds- It has DPD and more.


Log in to reply