[pfSense] M0n0wall to PFsense IPsec Tunnel drops every hour, Phase1 config change brings it back

Wade Blackwell wade at upcycle-consulting.com
Wed Jan 4 05:31:20 EST 2012 

Chris good morning,
       Yes it was 3600 on the m0n0. I changed it to 5000 for phases 1/2 on
both sides to see if that makes a difference. My understanding is that the
smaller lifetime in phases 1/2 would be negotiated by Isakmp and thus not
an issue to have different values on each end or one blank?

    -W

On Tue, Jan 3, 2012 at 11:12 PM, Chris Buechler <cmb at pfsense.org> wrote:

> On Tue, Jan 3, 2012 at 8:02 PM, Wade Blackwell <wade at bablam.com> wrote:
> > Good evening all,
> >         I have an IPsec tunnel between a M0n0wall (1.33) and a pair of
> > virtualized PFsense boxen running 2.0-RELEASE (amd64). I've never seen
> this
> > issue in an IPsec implementation before. Short history, before I went to
> a
> > virtualized pair of PF boxes running CARP this tunnel would stay up for
> .5
> > to a couple days. Once I changed to the CAP/VM setup about an hour is
> all I
> > get. To bring the tunnel back up all I have to do is go into the m0n0 and
> > change phase 1 to another setting and change it back to the original
> setting
> > and the tunnel comes back for an hour. I can also change any Phase 1
> setting
> > on both ends and the tunnel comes up, again only for about an hour.
> Anyone
> > seen anything like this?
> >
>
> My first guess is 3600 is your lifetime on phase 2? And maybe it's not
> the same on both sides? That's one common cause. Not enough info there
> to tell you  much more, check the SAs on both sides and see how those
> match up. Logs could be telling if there are any.
> _______________________________________________
> List mailing list
> List at lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
Wade Blackwell
C - 805.400.8485
D - 805.457.8825
S - CoC.WadeBlackwell
www.upcycle-consulting.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.pfsense.org/pipermail/list/attachments/20120104/9a4ad61e/attachment.html>

More information about the List mailing list