OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: Martinezio on November 02, 2020, 09:46:24 am

Title: IPSec keepalive
Post by: Martinezio on November 02, 2020, 09:46:24 am

Hi :)

Is it possible to keep alive IPSec tunels for networks, that OpnSense is not a member (means: have no network interface in it)...
Or something that forces to restart the IPSec tunnel, when SP is expired due to no traffic.
I have one site-to-site tunnel with 3 different "local" networks being routed over to 1 common remote.
2 of those "locals" are in fact remote for this OpnSense router and I can't assign new interface so the opnsense is a part of those networks. On the other side is a FortiGate router, which is requiring each 2nd phase tunel isolation and we had a lot of problems to configure those tunels. Now they are working, but only as long as the 2nd phase lifetime is defined (3600 sec). After that time SP expires and is removed from the list, so the network is not routeable anymore...

 Is there any way to keep those tunells alive?

Title: Re: IPSec keepalive
Post by: mimugmail on November 02, 2020, 01:38:24 pm

Try setting inactivity timeout over Phase1 lifetime

Title: Re: IPSec keepalive
Post by: Martinezio on November 03, 2020, 09:20:25 am

Will try that, thanks... I'll let You know :)

Title: Re: IPSec keepalive
Post by: Martinezio on November 03, 2020, 11:59:55 am

Well... not helping at all :/

The problem is only with phase2 channels - phase 1 and one of phase2 (this, which OpnSesne is a part of local network) is working nicely.

Title: Re: IPSec keepalive
Post by: mimugmail on November 03, 2020, 01:52:46 pm

Then you need some device behind generating traffic