On 26.02.20 23:50, Mark wrote: > Hi, > > I have a couple of random seeming problems between Meraki MX devices and > Strongswan via pfsense and I'm at a bit of a loss on how to gather more > information. Hoping for some pointers here > > The Meraki side is their latest firmware and the pfsense is running > FreeBSD strongSwan U5.7.1/K11.2-RELEASE-p10. I have several sets of > these vpn's but the most problematic one has around 40 phase 1 peers, > each with 2 or 3 phase 2 configurations, this is on a single pfsense > instance with the 40 phase 1 peers being mx devices on the internet. > > These are all IKEv1 configurations. > > For the most part, we have solid and reliable VPN's among the devices, > but sometimes the two endpoints appear to get out of sync. This can > happen every few days or it can happen every couple of hours. > > I see instances of the strongswan side successfully rekeying, but the > Meraki side logging an SPI expiration and never having logged an > established event for that same SPI. The result is that the pfsense side > will send traffic forever but the MX apparently just discards the > incoming traffic. > > In other instances, I will see sometimes 5 or 6 phase 2 SPI pairs for > the same network set on the same conneciton > > In either of these two cases, my operational symptom will be that > traffic is not passing. In both cases, an ipsec down connection && > ipsec up connection makes traffic flow again. > > I've engaged Meraki many times including as the problems are happening, > and I always get an inconclusive answer/ no answer. > > This is an example config, they're generally all the same for the > different phase 1 and phase 2 connections > > conn con1000 > fragmentation = yes > keyexchange = ikev1 > reauth = yes > forceencaps = yes > mobike = no > > rekey = yes > installpolicy = yes > type = tunnel > dpdaction = restart > dpddelay = 10s > dpdtimeout = 60s > auto = route > left = leftnet > right = rghtnet > leftid = leftid > ikelifetime = 28800s > lifetime = 3600s > ike = aes256-sha1-modp1024! > esp = aes256-sha1,aes192-sha1,aes128-sha1! > leftauth = psk > rightauth = psk > rightid = rightid > aggressive = no > rightsubnet = 10.1.1.0/24 > leftsubnet = 10.10.1.0/24 > > > I suspect that some of my problems might be related to delivery problems > for the encapsulated packets over the internet but I don't know how I > can go about knowing that. I have the ability to capture packets on the > wan side of the pfsense/strongswan devices, but I don't quite know what > I'm looking for in the network traffic. > > Any pointers to help me get the data I need to make these tunnels way > more reliable? > > Thanks > > Mark
Please send logs of both sides during an outage. Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
signature.asc
Description: OpenPGP digital signature
