Losing connection in ipsec phase 2 after 24 hours
-
I can report exactly the same problem.
pfsense 2.2.6 on one end and 2.2.5 on the other. The tunnel is using IKEv1.
The phase 2 entry stays active for approx 24 hours and then disappears. The phase 1 entry is still active - there is just no phase 2 entry.
Very strange.
The is the first IPsec tunnel that I have configured between two pfsense entities. Other IPsec tunnels into pfsense 2.2.5 from various other devices work fine and the phase 2 entry is not 'lost'.
Interestingly the pfsense 2.2.6 entity is replacing a Netgear router/firewall. The IPsec tunnel has been operating for a long time without problems with the Netgear, all I did was to replace the Netgear with pfsense and configure the endpoint. So the pfsense 2.2.5 configuration is unchanged.
I have never had the phase 2 come back by itself. If I 'disconnect' the phase 1 connection the IPsec tunnel will immediately reconnect and the phase 2 is present and it all works.
I will try switching to IKEv2 and see what happens.
Tim
-
Split this to its own thread as it's just the same symptom as the other one, there are numerous potential causes for that symptom.
What do your IPsec logs show?
-
Sorry, I didn't keep a copy of the logs prior to switching to IKEv2.
At this stage, after switching to IKEv2, the problem has not reappeared, but I probably need to leave it in IKEv2 for a bit longer. So I will leave everything in the current configuration for another 12 hours and see if the IKEv2 tunnel keeps the phase 2 active.
I can then switch the connection back to IKEv1 and report back with the logs when I get the failure.
There will be a 5 day delay as I am going away for a few days.
Thanks,
Tim -
Further information:
I am currently working on this problem and also an unreliable PPPoE link. As part of the PPPoE tesing I have been switching pfsense release versions at one end of the IPsec tunnel. The "problem" occurs with pfsense 2.3 <-> pfsense 2.2.5 when using IKEv1.
At this stage I have not seen a problem with IKEv2 (ran for at least 4 days without a problem with pfsense 2.2.6 <-> pfsense 2.2.5).
Unfortunately I only have 5 hours worth of logs (due to the file wrapping) and the loss of phase 2 appears to be prior to the earliest entry in the log. (The VPN is used for some overnight backups and these failed due to no connectivity, the time of this backup was earlier than the earliest entry in the log file.) I will arrange to log the files onto a remote server so that I have all of them.
I thought that perhaps this IPsec issue was related to the unreliable PPPoE link. However, that does not appear to be the case. The PPPoE link has been up for 10 hours, and I know that the VPN was functional 10 hours ago, and it has certainly lost its Phase 2 entry now.
Tim
-
This issue has not reappeared in the last few days, and it used to occur at least once a day.
The only major change to my configurations is to improve the stability of the PPPoE link to the Internet. I was using a USB Ethernet adapter for my PPPoE link and the link was quite unstable, typical PPPoE uptimes were a few hours max. I have since changed to a VLAN based solution to get my PPPoE traffic out of the pfsense environment. The result of this is that the PPPoE is now significantly more stable and at the same time the IPsec phase1 without phase 2 problem appears to have gone away.
As well as being more stable the time to reconnect when the PPPoE link does fail has increased. With the USB Ethernet adapter the PPPoE Daemon would receive a TERM signal, shutdown, and then immediately reconnect. Now all the PPPoE outages look more like ISP issues and are loss of LCP echo, followed by a few attempts to reconnect. So the PPPoE link is down for a much longer time and does not instantly reconnect.
So at this stage it looks like the IPsec loss of phase 2 may relate to the manner/frequency of link failure on the Internet link.
I have left the IPsec links in IKEv1 and if the issue occurs again then I will hopefully be able to supply the appropriate logging information.
Tim