IPSec VPN drops randomly and never reconnects



  • Since I've upgraded to 2.3, I've noticed that my VPN tunnel will randomly disconnect and never reconnect itself. I've even added an IP to the "Automatically ping host" in phase 2, which I never had to use before, however this doesn't fix the issue either.

    Here are the relevant log lines showing the connection drop on May 8th. May 9th is when I manually pressed the "Reconnect" button on the IPSec Status page. I had to press it twice…sometimes three times.

    May 9 09:48:49 	charon 		10[IKE] <con1000|50>initiating Main Mode IKE_SA con1000[50] to x.x.x.x
    May 9 09:48:49 	charon 		13[CFG] received stroke: initiate 'con1000'
    May 9 09:48:49 	charon 		10[CFG] no IKE_SA named 'con1000' found
    May 9 09:48:49 	charon 		10[CFG] received stroke: terminate 'con1000'
    May 9 09:48:48 	charon 		05[IKE] <con1000|49>destroying IKE_SA in state CONNECTING without notification
    May 9 09:48:48 	charon 		10[CFG] received stroke: terminate 'con1000'
    May 9 09:48:48 	charon 		05[NET] <con1000|49>sending packet: from y.y.y.y[500] to x.x.x.x[500] (180 bytes)
    May 9 09:48:48 	charon 		05[ENC] <con1000|49>generating ID_PROT request 0 [ SA V V V V V ]
    May 9 09:48:48 	charon 		05[IKE] <con1000|49>initiating Main Mode IKE_SA con1000[49] to x.x.x.x
    May 9 09:48:48 	charon 		13[CFG] received stroke: initiate 'con1000'                                                     ****(Reconnect button pressed on IPSec Status page)*****
    May 8 21:57:56 	charon 		11[IKE] <con1000|47>deleting IKE_SA con1000[47] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]
    May 8 21:57:56 	charon 		11[IKE] <con1000|47>received DELETE for IKE_SA con1000[47]
    May 8 21:57:56 	charon 		11[ENC] <con1000|47>parsed INFORMATIONAL_V1 request 2704306526 [ HASH D ]
    May 8 21:57:56 	charon 		11[NET] <con1000|47>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
    May 8 21:57:53 	charon 		11[ENC] <con1000|47>parsed INFORMATIONAL_V1 request 2714980083 [ HASH N(DPD_ACK) ]
    May 8 21:57:53 	charon 		11[NET] <con1000|47>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
    May 8 21:57:53 	charon 		11[NET] <con1000|47>sending packet: from y.y.y.y[500] to x.x.x.x[500] (92 bytes)
    May 8 21:57:53 	charon 		11[ENC] <con1000|47>generating INFORMATIONAL_V1 request 880239568 [ HASH N(DPD) ]
    May 8 21:57:53 	charon 		11[IKE] <con1000|47>sending DPD request
    May 8 21:57:52 	charon 		11[ENC] <con1000|46>parsed INFORMATIONAL_V1 request 822893423 [ HASH N(DPD) ]
    May 8 21:57:52 	charon 		11[NET] <con1000|46>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
    May 8 21:57:50 	charon 		11[ENC] <con1000|46>parsed INFORMATIONAL_V1 request 1313742396 [ HASH N(DPD) ]
    May 8 21:57:50 	charon 		11[NET] <con1000|46>received packet: from x.x.x.x[500] to y.y.y.y[500] (92 bytes)
    May 8 21:57:50 	charon 		11[IKE] <con1000|46>sending DPD request
    May 8 21:57:48 	charon 		11[IKE] <con1000|48>deleting IKE_SA con1000[48] between y.y.y.y[y.y.y.y]...x.x.x.x[x.x.x.x]</con1000|48></con1000|46></con1000|46></con1000|46></con1000|46></con1000|46></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|47></con1000|49></con1000|49></con1000|49></con1000|49></con1000|50> 
    

    x.x.x.x = remote site (Cisco)
    y.y.y.y = local pfSense WAN IP

    It looks like we're getting a DELETE from the remote VPN and the "sending DPD request" never goes back out from pfSense.

    Any ideas? It's getting frustrating to have to restart this VPN multiple times a day.



  • On pfsense to pfsense configs

    I found swapping to IKE v2 made a difference for me (change at both ends in Phase 1)
    Also under advanced settings on the general IPsec tab enabled 'Make before Break'

    Previously I would need to start and stop the IPsec service for it to reconnect - one end thought it was still up.



  • I think I figured it out…..very stupid, of course. It seems that if I ping the remote LAN subnet, the tunnel will come back up by itself. I suppose I could set the auto ping IP to the remote LAN IP and that should keep it up.

    I unfortunately don't have control over the other end (and the admin's that do are very incompetent) so I can't change to IKEv2 on the remote end.

    Would enabling 'Make before Break' have any effect?


Log in to reply