Messages

1

20.7 Legacy Series / Problem with IpSec Site2Site Tunnel

« on: October 06, 2020, 01:59:07 pm »

Hi,

i have an opnsense running with 20.7.3 and an ipsec ikev1 tunnel to a remote location. The tunnel works fine for a while, but after some time it is disconnected and no automated reconnect is made, i have to manually start it again from the "Status Overview" page. The config for the tunnel looks like this:

Code: [Select]

conn con1-000
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 180s
  dpdtimeout = 1080s

  left = <<MyIP>>
  right = <<TheirIP>>

  leftid = <<MyIP>>
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha256-modp1536!
  leftauth = psk
  rightauth = psk
  rightid = <<TheirIP>>
  rightsubnet = <<TheirSubnet_1>>
  leftsubnet = <<MySubnet>>
  esp = aes256-sha256-modp2048!
  auto = start

conn con1-001
  aggressive = no
  fragmentation = yes
  keyexchange = ikev1
  mobike = yes
  reauth = yes
  rekey = yes
  forceencaps = no
  installpolicy = yes
  type = tunnel
  dpdaction = clear
  dpddelay = 180s
  dpdtimeout = 1080s

  left = <<MyIP>>
  right = <<TheirIP>>

  leftid = <<MyIP>>
  ikelifetime = 28800s
  lifetime = 3600s
  ike = aes256-sha256-modp1536!
  leftauth = psk
  rightauth = psk
  rightid = <<TheirIP>>
  rightsubnet = <<TheirSubnet_2>>
  leftsubnet = <<MySubnet>>
  esp = aes256-sha256-modp2048!
  auto = start

In the logs i can only find these messages for the connection after it got disconnected:

Code: [Select]

Oct  6 13:31:39 fw charon[7266]: 16[KNL] creating acquire job for policy <<MyIP>>/32 === <<TheirIP>>/32 with reqid {0}
Oct  6 13:31:54 fw charon[7266]: 12[KNL] creating acquire job for policy <<MyIP>>/32 === <<TheirIP>>/32 with reqid {0}

Does someone have an idea what might be going on here and how i would be able to fix it?
Thanks for any hint  !
Sebastian