We have a bit of an odd issue with our IPSEC tunnel. The issue is the tunnel connects just fine, and all traffic works as expected. Then randomly, and this can range from a few hours to multiple weeks before showing any issues, traffic just stops being passed altogether. The tunnel still says it's established, but disconnecting and reconnecting it fixes the issue immediately.
We believe we have tracked down where the issue is occurring, but aren't sure why it's behaving in this manner. Let's say these are the IP's involved:
- WAN IP: 210.50.50.51
- pfsense Static IP: 150.30.30.41
- Remote IP: 140.20.20.31
When we run ipsec statusall on the pfsense appliance, we see the following line:
Security Associations (1 up, 0 connecting): con1000[16]: ESTABLISHED 2 hours ago, 150.30.30.41[150.30.30.41]...140.20.20.31[140.20.20.31]
That's what it looks like when everyone is working just fine. However, when the tunnel is failing to pass traffic, we notice it is instead using/seeing the WAN IP as the Local IP:
Security Associations (1 up, 0 connecting): con1000[16]: ESTABLISHED 2 hours ago, 210.50.50.51[150.30.30.41]...140.20.20.31[140.20.20.31]
If we disconnect, and reconnect the tunnel, it changes back to 150.30.30.41[150.30.30.41] as expected.
Is there something we are missing that can prevent this behavior? In the IPSEC configuration, we have the 'My Identifier' field set to IP Address, and manually entered 150.30.30.41, but that doesn't seem to help.
This is on pfSense 2.4.3-RELEASE-p1, strongSwan 5.6.2, FreeBSD 11.1-RELEASE-p10, amd64
No comments:
Post a Comment