On 2015-Mar-26, at 4:01 PM, Chris Buechler <[email protected]> wrote: > Go to System>Advanced, System Tunables, and add a new tunable there. > Name net.key.preferred_oldsa, value 0, then save and apply changes. > That have any impact on things?
Executive summary: no. Here's what I did: - created/applied tunable at both ends - turned off our server's "keep VPN alive" pinger - on my end, pressed the "disconnect" button for the 2.2.1-to-2.2.1 VPN (in Status -> IPsec) - Status -> IPsec "immediately" indicated that the 2.2.1-to-2.2.1 VPN connection was established (this is always the case ... it sort o' fibs) - started a once-per-second ping from my system (to the pfSense box at the other end) - the first 88 pings were unanswered - the VPN was "really connected" at about 89 seconds - killed the pinging at about 103 seconds (and typed this stuff up, up to here) - ran the pinger, again ... 7 successes ... interrupted the ping process - waited about 3 minutes (remember, right now there's no other traffic across this VPN) - ran the ping, again ... connection down, 34 pings unanswered - VPN connected at about 35 seconds - let the ping run for another minute ... stayed connected - interrupted ping process - waited about 3 minutes - ran the ping, again ... connection down, 143 pings unanswered - VPN connected at about 144 seconds So far, I'd say that this change had zero effect. This appears to be the same behavior as though the tunable wasn't there. Next, I did the following: - pinger still running, VPN still connected - pressed the "Restart IPsec service" button (Status -> IPsec) on the pfSense at the other end - one ping slightly longer response, but no pings lost - pressed the "Restart IPsec service" button (Status -> IPsec) on the pfSense at the my end - one ping with no response but connection stayed up -- interestingly, Status -> IPsec reported an "established" time that indicated the original connection duraion (i.e., seemingly indicating that the restart didn't create a new connection) - killed the pinger as I typed this stuff - about 6 minutes later, ran a ping and the connection was still alive - interrupted the ping after 7 pings - waited about 3 minutes - ran the ping, again ... connection still alive! - I stopped the ping - I thought that looked quite promising so, as a more rigorous set of tests, I was going to restart the pfSense box at the other end and completely stop, then restart the IPsec service at my end ... I typed that info in as my next steps - however, when I went to access the pfSense box at the other end, about a minute later, the VPN was down - I fired off another ping ... 126 pings unanswered - VPN connected at about 127 seconds Next, I did the following: - rebooted the pfSense box at the other end - stopped the IPsec service at my end - waited long enough to ensure that the pfSense box at the other end had ample time to reboot (please!) - started the IPsec service at my end - started a once-per-second ping from my system and attempted to access both the pfSense box at the other end of the 2.2.1-to-2.2.1 VPN and the one at the other end of the 2.2.1-to-2.1.5 VPN - got the pfSense box at the other end of the 2.2.1-to-2.1.5 VPN with about a 1 second delay, as "always" -- yes, experience with the previous IPsec does create high expectations! #;-)) - 54 pings unanswered - the 2.2.1-to-2.2.1 VPN connected after about 55 seconds - typed this stuff up and ran another ping (about 3-4 min. later) - connection still up ... stopped ping - waited about 3 minutes - ran ping ... 30 pings unanswered - VPN connected at about 31 seconds In spite of a moment's promise, looks like this change no net effect. [hey, had to get in at least 1 pun] FYI, since I implemented the pinger script on the server, I've accessed the pfSense box at the other end about 20 times and the VPN has been up every time. Without the pinger, I could count on it always being disconnected and having to wait .5 to 1.5 minutes for it to connect, after attempting to send some traffic. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
