ipsec is working but no communication is possible

[Kisters]

Hi,
i have a opensense with 5 ipsec tunnels, everything works fine. But after 2 - 3 days, communication is no longer possible within one of the tunnels. However, the tunnel is still established. Reestablishing the VPN connection or restarting the ipsec service does not solve the problem.

After restarting the opensense, everything works again for a few days.
All other tunnels work permanently.

Anyone have an idea what this could be?

Regards Tim

[juere]

Hard to tell unless you provide additional information about the tunnels involved 

I had a similar situation (tunnel up, no traffic, restarting ipsec service did not help, restarting my gateway did) with tunnels where two conditions were both met:

• the remote gateway had a dynamic IPv4 adress
• on my side I was using manual SPD entries

The reason was, that whenever the IPv4 address of the remote gateway changed, the manual SPD entries didn't get updated in the kernel security database. Deleting them in the webinterface (/ui/ipsec/spd) and restarting the tunnel made the tunnel work again.

This is a somewhat exotic situation and possibly not yours, but maybe it helps.

[Kisters]

Hi,
the other side of the tunnel is a Sophos SG105 with a dynamic IP address. If the communication in the tunnel is no longer possible, the ddns name can still be pinged, so I do not assume that we have a problem with the changing IP address.

Also a restart of the remote gateway does not lead to the connection enabling communication again.

Only the reboot of the OpenSense itself fixes the problem temporarily.

There are more VPN tunnels with the same setup on the same OpenSense and there the problem does not occur.


Regards Tim