IPsec - missing automatic tunnel restarts

Started by mwiora, May 22, 2020, 11:11:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 22, 2020, 11:11:14 AM
Hi all,

I am facing issues with my IPsec setup.
For normal everything is running fine - but in case that something happens to my internet connection, my IPsec tunnels go offline and do not come back.

Did I miss any option I can set that the tunnel gets reestablished as soon as possible?
Thanks in advance,
Matthias
June 03, 2020, 08:35:34 PM #1
Hello Matthias,

were you able to solve the problem? I would also be interested in the solution.

Best reguards,

Marc
June 10, 2020, 11:57:50 PM #2 Last Edit: June 11, 2020, 12:29:12 PM by QBANIN
Hi, I've done this by setting up Monit service.

Quick howto:

1. Settings / Monit / Setting / Service Test Settings -> New entry +

Name: It's up to you
Condition:
Code Select
failed ping4 count 1 address your_opnsense_internal_ip (this will send 1 ping = 3 retires to remote ipsec host)
Action: Restart

2. Settings / Monit / Setting / Service Settings -> New entry +

Check Enable

Name: Some name
Type: Remote host
Address: remote_gateway_ip (or some host ip inside remote network responding do pings)
Start:
Code Select
/usr/local/sbin/swanctl -i --child conN (where N is your connection position on the list in VPN/IPSEC/Status Overview, ie con1)
Stop:
Code Select
/usr/local/sbin/swanctl -t --child conN (where N is your connection position on the list in VPN/IPSEC/Status Overview, ie con1)
Tests: Select your test name from p1.
Depends: Nothing depends

General Settings:
Enable service,
I set up polling interval to 60s

This setup will send 3 ping retires to remote ipsec host every 1 minute. If case all 3 ping will timeout Monit service will stop/start this single connection, and so on every 1 minute :)

If connection is up and at least 1 ping will succeed nothing will happen.
If connection is down and at least 1 ping will succeed it will be restarted.

Good luck :)
September 05, 2020, 01:41:36 AM #3
Hi,

I believe you should use "Dead Peer Detection" for this:
- Activate it on Phase 1
- Set to 10 seconds and one retry
- Action to "Restart the tunnel" should do the trick.

Best regards
Rainer
September 23, 2020, 10:25:18 AM #4
I have noticed that even with DPD the tunnel sometimes just drops and will not come back, even with ongoing traffic just before the drop. Changing and saving the config does bring back the tunnel.

At one site I have parallel tunnels between Cisco devices and between OPNSense devices and the Cisco devices never drop while the OPNsense needs a bit of encouraging every once in a while.
September 23, 2020, 11:15:17 AM #5
The problem is that when 5 DPD cycles are not replied the VPN is on hold.
I think the solution would be to disable DPD or set "keyingtries=%" manually
Print
Go Up Pages1
User actions