IPSec keepalive

Martinezio · November 02, 2020, 09:46:24 AM

Hi :)

Is it possible to keep alive IPSec tunels for networks, that OpnSense is not a member (means: have no network interface in it)...
Or something that forces to restart the IPSec tunnel, when SP is expired due to no traffic.
I have one site-to-site tunnel with 3 different "local" networks being routed over to 1 common remote.
2 of those "locals" are in fact remote for this OpnSense router and I can't assign new interface so the opnsense is a part of those networks. On the other side is a FortiGate router, which is requiring each 2nd phase tunel isolation and we had a lot of problems to configure those tunels. Now they are working, but only as long as the 2nd phase lifetime is defined (3600 sec). After that time SP expires and is removed from the list, so the network is not routeable anymore...

Is there any way to keep those tunells alive?

mimugmail · November 02, 2020, 01:38:24 PM

Try setting inactivity timeout over Phase1 lifetime

Martinezio · November 03, 2020, 09:20:25 AM

Will try that, thanks... I'll let You know :)

Martinezio · November 03, 2020, 11:59:55 AM

Well... not helping at all :/

The problem is only with phase2 channels - phase 1 and one of phase2 (this, which OpnSesne is a part of local network) is working nicely.

mimugmail · November 03, 2020, 01:52:46 PM

Then you need some device behind generating traffic

IPSec keepalive

Martinezio

November 02, 2020, 09:46:24 AM

mimugmail

November 02, 2020, 01:38:24 PM #1

Martinezio

November 03, 2020, 09:20:25 AM #2

Martinezio

November 03, 2020, 11:59:55 AM #3

mimugmail

November 03, 2020, 01:52:46 PM #4