News: This forum is now permanently frozen.
Pages: [1]
Topic: IPSec tunnel not re-establishing after time-out  (Read 5346 times)
« on: March 25, 2008, 01:11:01 »
gbusc *
Posts: 1

Hi Guys,

I have come across a very concerning issue with M0n0wall which has driven me up the wall.

I have tried running the latest stable and differnt Betas of 1.3 - including b10, and seem to get identical problems.

Basically I have found when you are creating an IPSec tunnel (makes no difference what any of the parameters are), when the tunnel expires or is reset at the opposite end to the M0n0wall, it is unable to detect that it has expired/been reset and will not reconnect.

I have tried continuously pinging across the link with different size data and it still happens. Tried it with a Watchguard, a Netgear and a pfSense box and I get identical problems.

Though, what is very curious is that pfSense (which also uses Racoon) doesn’t suffer the same problem in reverse. Ie: when I reset the IPSec tunnel at the M0n0wall end, the pfSense can detect that the tunnel is lost and re-establishes a new SA.

If anyone can shed some light on this, it would be greatly appreciated.

GB
« Reply #1 on: March 31, 2008, 22:38:41 »
Hellraiser69 *
Posts: 3

Hi to all

I have exactly the same problem...

Roger
« Reply #2 on: April 04, 2008, 12:11:04 »
acid-mic *
Posts: 11

Hello,

i've got the same problem. One side with static global ip - the other with dynamic ip and dyn-dns service (m0n0wall to m0n0wall).

If ISP disconnect and change dynamic IP of the client the tunnel won't come up. Only restart on static side will fix the problem .... for the moment.
« Reply #3 on: April 04, 2008, 13:44:55 »
ChainSaw
Guest

I'm running 1.3b10 and have seen the same problem as well.

CS...
« Reply #4 on: April 06, 2008, 10:19:53 »
Manuel Kasper
Administrator
*****
Posts: 364

Try 1.3b11 - I've found (and fixed) a problem with old SAs being preferred over new ones in 1.3b10 due to changes in the behavior of the net.key.preferred_oldsa sysctl. It's very likely that this is what causes your problem, as previous m0n0wall releases correctly preferred new SAs by default.

1.3b11 now also has DPD (off by default, but may be enabled on the tunnel configuration page), which can also help speed up tunnel re-establishment in some cases.

Thanks for the report!
« Reply #5 on: April 06, 2008, 10:48:29 »
ChainSaw
Guest

Manuel,

I just upgraded all 30 of my 1.3b9 and 1.3b10 boxes (a mix of: PC, net4801, net5501, wrap and alix) and so far everything is working great!

Thanks for all your hard work!

CS...
« Last Edit: April 06, 2008, 11:40:29 by ChainSaw »
« Reply #6 on: April 06, 2008, 21:06:25 »
Hellraiser69 *
Posts: 3

I upgraded my boxes to 1.3b11 and everything seems to work right.

Thanks Manuel for your work. M0n0wall gets better and better and better...
« Reply #7 on: April 06, 2008, 22:18:36 »
ChainSaw
Guest

1.3b11 m0n0wall to m0n0wall (with DPD set to 60 on both ends) still has the following problem:

If I connect to a remote m0n0wall over an IPSec tunnel and tell it to reboot, the tunnel will not restart without deleting the old SAD or clicking "Save" on the "VPN: IPsec: Tunnels" page.

Other than that I'm not seeing any problems with the new release.

CS...
« Reply #8 on: April 17, 2008, 11:00:07 »
ssbaksa *
Posts: 2

1.3b11 m0n0wall to m0n0wall (with DPD set to 60 on both ends) still has the following problem:

If I connect to a remote m0n0wall over an IPSec tunnel and tell it to reboot, the tunnel will not restart without deleting the old SAD or clicking "Save" on the "VPN: IPsec: Tunnels" page.

Other than that I'm not seeing any problems with the new release.
CS...
Same with me. 1.3b11 on main site with static IP and another one, 1.233, on ADSL (PPPoE). After provider change IP (24h) tunnel die. Clickin save on main site IPSec reestablish the tunnel for next 24 hour time. DPD 60 sec, check for IP change 60 sec.

What to check next? Is there log entry for some of this features?

Sasa
« Reply #9 on: May 29, 2008, 19:39:02 »
Jackass *
Posts: 8

Getting similar results with 1.3b11.  My tunnel initially comes up, then after 10, 20, maybe 60 minutes it dies.  Usually I just have to disable/enable the tunnel on the m0n0wall and it comes back.  Other times I have to clear the connection on the other end (Cisco 3020).
« Reply #10 on: June 16, 2008, 23:51:50 »
kowalski *
Posts: 2

Hi all / sali zaeme

My point to point VPN wont re-establish after i switch off power of my 1.3b11 monowall for testing purpose. Manually deleting SAD's or saving VPN config will bring up the tunnel again.
It can also happen that there are no SAD's existing and only saving like above will help.
problems drives me crazy  Grin

any hints welcome

greets

kowalski
« Reply #11 on: June 19, 2008, 17:37:18 »
kowalski *
Posts: 2

Hi 2 all "my VPN is not running club"

After changeing setups, reading logs I finally found my mistake. In my setup i use a monowall(A) + an of  the shelf firewall(B)  wich I am going to replace. Anyway i have to be sure that monowall works with the other for VPN combatiblity reasons.

I made a mistake in the phase 1 settings and chose "DES" instead of "3DES", this at firewall (B).

The VPN connection worked anyway but after powering down/up (A), the VPN would only re-established after a trigger behind (A) but not from behind firwall (B) wich showed me that something was wrong.
Strange to me, that although encryption settings were not xactly the same, the VPN was established anyway -> this needs probaly deeper understanding about the auth. process, maybe there is peoble who can shed some light into my darkness   Huh

My tip for everybody who has "not re-establishing problems" please check if settings are the same on both sides! .....btw yes i know its written in the manual....

greetings kowalski



 
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines