one thing to check is what IP that ping ends up getting sourced from, and making sure it's in the right subnet. tcpdump should work
I'm thinking one reason it can get closed is if IP/50, UDP/500, and/or UDP/4500 arent allowed in both directions on the other end. when requesting VPN ports from your source to your peer from some firewall admins, they allow the ports inbound but forget to do the same outbound. It's surprisingly typical and shows a lack of knowledge for what they're dealing with. The problem this creates is during the rekey sequence of the VPN. Most IPSec stacks will take the VPN lifetime, subtract a random value, and rekey at that time. So either end can end up initiating the re-key sequence. If the remote end initiates the re-key, and the proper ports haven't been allowed outbound, the requests will get dropped. This means your remote end thinks the re-key is in progress but the local end doesn't know. in a little bit the local end will hit its timer, and initiate a re-key. The remote end will say "I'm already doing this" and drop the request. So neither end will be able to successfully re-key the tunnel, and it will go down. On Mon, Dec 19, 2011 at 10:03 AM, Nick Upson <n...@telensa.com> wrote: > > Nick Upson > > > > On 19 December 2011 15:00, Ian Bowers <iggd...@gmail.com> wrote: > >> >> >> On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson <n...@telensa.com> wrote: >> >>> I'm running 1.2.3 >>> >>> I have an IPsec tunnel to another site, which closes unless there is >>> traffic I want it up 24/7 so I put a remote IP in the "keep alive, >>> automatically ping host" section of the setup. >>> It still behaves the same way. Is this to be expected (known bug or >>> something) or have I done something wrong? >>> >>> Nick Upson >>> >>> >>> _______________________________________________ >>> List mailing list >>> List@lists.pfsense.org >>> http://lists.pfsense.org/mailman/listinfo/list >>> >>> >> >> Please post your encryption domain (which networks are encrypted on both >> sides) and which IP you are pinging. Also, what type of device does the VPN >> terminate on the other end? I have a couple ideas >> >> _______________________________________________ >> List mailing list >> List@lists.pfsense.org >> http://lists.pfsense.org/mailman/listinfo/list >> >> > > local subnet 10.0.0.0/8 > remote subnet 192.168.118.0/24 > ping 192.168.118.6 > > no idea what device is on the other end, sorry > > > > _______________________________________________ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > >
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list