[pfSense] ipsec tunnel closes
I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the keep alive, automatically ping host section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Nick Upson ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson n...@telensa.com wrote: I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the keep alive, automatically ping host section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Only scenario where that won't work is where there isn't a local IP on the firewall within the local subnet of the IPsec. Or if you don't put in an IP that's within the remote subnet. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
Nick Upson On 19 December 2011 14:55, Jochem de Waal joc...@caresoft.nl wrote: ** ** ** ** I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the keep alive, automatically ping host section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Nick Upson ** ** *Van:* list-boun...@lists.pfsense.org [mailto: list-boun...@lists.pfsense.org] *Namens *Nick Upson *Verzonden:* maandag 19 december 2011 15:49 *Aan:* pfSense support and discussion *Onderwerp:* [pfSense] ipsec tunnel closes ** ** Hi Nick, ** ** We have many IPSEC tunnels to our customers using pfSense 1.2.3 and also on 2.0 without any problems. What could be the problem in your case is the lifetime of phase 1 and 2*** * Try setting phase 1 to 28800 and phase 2 to 3600. This should be the same on both sides. ** ** Cheers, Jochem ** ** ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Hi, my settings are the other way round, I'm not sure about the other end ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson n...@telensa.com wrote: I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the keep alive, automatically ping host section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Nick Upson ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Please post your encryption domain (which networks are encrypted on both sides) and which IP you are pinging. Also, what type of device does the VPN terminate on the other end? I have a couple ideas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
Nick Upson On 19 December 2011 15:00, Ian Bowers iggd...@gmail.com wrote: On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson n...@telensa.com wrote: I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the keep alive, automatically ping host section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Nick Upson ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Please post your encryption domain (which networks are encrypted on both sides) and which IP you are pinging. Also, what type of device does the VPN terminate on the other end? I have a couple ideas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list local subnet 10.0.0.0/8 remote subnet 192.168.118.0/24 ping 192.168.118.6 no idea what device is on the other end, sorry ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] ipsec tunnel closes
one thing to check is what IP that ping ends up getting sourced from, and making sure it's in the right subnet. tcpdump should work I'm thinking one reason it can get closed is if IP/50, UDP/500, and/or UDP/4500 arent allowed in both directions on the other end. when requesting VPN ports from your source to your peer from some firewall admins, they allow the ports inbound but forget to do the same outbound. It's surprisingly typical and shows a lack of knowledge for what they're dealing with. The problem this creates is during the rekey sequence of the VPN. Most IPSec stacks will take the VPN lifetime, subtract a random value, and rekey at that time. So either end can end up initiating the re-key sequence. If the remote end initiates the re-key, and the proper ports haven't been allowed outbound, the requests will get dropped. This means your remote end thinks the re-key is in progress but the local end doesn't know. in a little bit the local end will hit its timer, and initiate a re-key. The remote end will say I'm already doing this and drop the request. So neither end will be able to successfully re-key the tunnel, and it will go down. On Mon, Dec 19, 2011 at 10:03 AM, Nick Upson n...@telensa.com wrote: Nick Upson On 19 December 2011 15:00, Ian Bowers iggd...@gmail.com wrote: On Mon, Dec 19, 2011 at 9:49 AM, Nick Upson n...@telensa.com wrote: I'm running 1.2.3 I have an IPsec tunnel to another site, which closes unless there is traffic I want it up 24/7 so I put a remote IP in the keep alive, automatically ping host section of the setup. It still behaves the same way. Is this to be expected (known bug or something) or have I done something wrong? Nick Upson ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list Please post your encryption domain (which networks are encrypted on both sides) and which IP you are pinging. Also, what type of device does the VPN terminate on the other end? I have a couple ideas ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list local subnet 10.0.0.0/8 remote subnet 192.168.118.0/24 ping 192.168.118.6 no idea what device is on the other end, sorry ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
