Text only | Text with Images

OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: mwiora on May 22, 2020, 11:11:14 AM

Title: IPsec - missing automatic tunnel restarts
Post by: mwiora on May 22, 2020, 11:11:14 AM
Hi all,

I am facing issues with my IPsec setup.
For normal everything is running fine - but in case that something happens to my internet connection, my IPsec tunnels go offline and do not come back.

Did I miss any option I can set that the tunnel gets reestablished as soon as possible?
Thanks in advance,
Matthias
Title: Re: IPsec - missing automatic tunnel restarts
Post by: insecure on June 03, 2020, 08:35:34 PM
Hello Matthias,

were you able to solve the problem? I would also be interested in the solution.

Best reguards,

Marc
Title: Re: IPsec - missing automatic tunnel restarts
Post by: QBANIN on June 10, 2020, 11:57:50 PM
Hi, I've done this by setting up Monit service.

Quick howto:

1. Settings / Monit / Setting / Service Test Settings -> New entry +

Name: It's up to you
Condition:
Code Select
failed ping4 count 1 address your_opnsense_internal_ip (this will send 1 ping = 3 retires to remote ipsec host)
Action: Restart

2. Settings / Monit / Setting / Service Settings -> New entry +

Check Enable

Name: Some name
Type: Remote host
Address: remote_gateway_ip (or some host ip inside remote network responding do pings)
Start:
Code Select
/usr/local/sbin/swanctl -i --child conN (where N is your connection position on the list in VPN/IPSEC/Status Overview, ie con1)
Stop:
Code Select
/usr/local/sbin/swanctl -t --child conN (where N is your connection position on the list in VPN/IPSEC/Status Overview, ie con1)
Tests: Select your test name from p1.
Depends: Nothing depends

General Settings:
Enable service,
I set up polling interval to 60s

This setup will send 3 ping retires to remote ipsec host every 1 minute. If case all 3 ping will timeout Monit service will stop/start this single connection, and so on every 1 minute :)

If connection is up and at least 1 ping will succeed nothing will happen.
If connection is down and at least 1 ping will succeed it will be restarted.

Good luck :)
Title: Re: IPsec - missing automatic tunnel restarts
Post by: rainerle on September 05, 2020, 01:41:36 AM
Hi,

I believe you should use "Dead Peer Detection" for this:
- Activate it on Phase 1
- Set to 10 seconds and one retry
- Action to "Restart the tunnel" should do the trick.

Best regards
Rainer
Title: Re: IPsec - missing automatic tunnel restarts
Post by: rhaker on September 23, 2020, 10:25:18 AM
I have noticed that even with DPD the tunnel sometimes just drops and will not come back, even with ongoing traffic just before the drop. Changing and saving the config does bring back the tunnel.

At one site I have parallel tunnels between Cisco devices and between OPNSense devices and the Cisco devices never drop while the OPNsense needs a bit of encouraging every once in a while.
Title: Re: IPsec - missing automatic tunnel restarts
Post by: mimugmail on September 23, 2020, 11:15:17 AM
The problem is that when 5 DPD cycles are not replied the VPN is on hold.
I think the solution would be to disable DPD or set "keyingtries=%" manually
Text only | Text with Images