Puncte:0

Why do we lose IPSec connections and can't re-establish them?

drapel cn

We have tens of IPSec connections between our office and customer sites. At the office we use pfSense V2.4.5 as VPN gateway and placing Ubiquiti Edgerouter X devices with the latest firmware on the customer sites to establish the connection with. The Edgerouter X always establishes the connection as we not always have the possibility to forward ports on the customer network(s). It does this by pinging a internal ip on our office site once every minute.

In general the connections are stable and everything is working fine and like expected, though some times a connection is lost "randomly" and doensn't come back. I can see in pfSense (System logs / IPsec) that the Edgerouter tries to connect to pfSense.

pfSense log: enter image description here

I don't understand what happens here as this specific connection worked fine and stable for months. Nothing has changed to the config, neither on the Edgerouter X nor in pfSense Also no firmware updates are installed or reboots happened.

What we tried to fix the connection:

  • Restart Ubitquiti Edgerouter via UNMS (centralized management tool)
  • Hard restart by unplug the power and reconnect it
  • Deleting the IPSec settings on the Edgerouter and re-configure IPsec on the edgerouter followed by a reboot as it still didn't work.
  • Reconfiguring the IPSec connection in pfSense (No reboot yet as this will pull down our whole network.

For now we have around 3 "broken" connections of the 30-35 connections. Whats the cause and how can i solve this? We need reliable VPN connections and if they are disconnected for really short period that they at least need to reconnect automatically!

Ubiquiti Edgerouter-X config: Offcourse the pfSense config is corresponding with the config bellow as the connection worked.

 ipsec {
     allow-access-to-local-interface enable
     auto-firewall-nat-exclude enable
     esp-group FOO0 {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes128
             hash sha256
         }
         proposal 2 {
             encryption aes128
             hash sha256
         }
     }
     ike-group FOO0 {
         ikev2-reauth no
         key-exchange ikev2
         lifetime 28800
         proposal 1 {
             dh-group 14
             encryption aes128
             hash sha256
         }
         proposal 2 {
             dh-group 14
             encryption aes128
             hash sha256
         }
     }
     site-to-site {
         peer ipsec.company.de {
             authentication {
                 id an_id_here
                 mode pre-shared-secret
                 pre-shared-secret Some_key_h3r3
             }
             connection-type initiate
             default-esp-group FOO0
             description IPSec_connection
             ike-group FOO0
             ikev2-reauth inherit
             local-address any
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group FOO0
                 local {
                     prefix 10.130.3.0/24
                 }
                 remote {
                     prefix 10.128.0.0/16
                 }
             }
         }
     }
 }

screenshot pfSense config: enter image description here

UPDATE: All our Edgerouters are connected to our UNMS server and by coincidence i restored a backup (made automatically by UNMS) and the IPSec connection worked again. I tried this at 2 different (ER-X) devices with the same IPSec issue and it solved the "broken" IPSec connection issue at bot devices. The strange thing is that I'm 100% sure that no manual changes are made on both devices between the date of the backup and the time the connection broke. This let met think that there is a bug in EdgeOS somewhere??

drapel me
Am aceeasi problema si nu stiu cum sa o rezolv. Resetarea tunelului ipsec pe partea ER-X prin CLI mă ajută, dar nu este convenabil. ștergeți vpn ipsec-peer
CodeNinja avatar
drapel cn
Am încercat și `restart vpn` și `clear vpn ipsec-peer`, dar nu au funcționat în situațiile noastre (am avut de 2 ori pe 2 routere edge diferite pentru moment). Din fericire, aici am avut problema doar de 2 ori. "Degete încrucișate"

Postează un răspuns

Majoritatea oamenilor nu înțeleg că a pune multe întrebări deblochează învățarea și îmbunătățește legătura interpersonală. În studiile lui Alison, de exemplu, deși oamenii își puteau aminti cu exactitate câte întrebări au fost puse în conversațiile lor, ei nu au intuit legătura dintre întrebări și apreciere. În patru studii, în care participanții au fost implicați în conversații ei înșiși sau au citit transcrieri ale conversațiilor altora, oamenii au avut tendința să nu realizeze că întrebarea ar influența – sau ar fi influențat – nivelul de prietenie dintre conversatori.