IPSec site to site seems to lose/break connection after some time

Started by kumba, July 03, 2025, 08:38:38 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 03, 2025, 08:38:38 PM
I've got a site to site IPSec VPN setup between two routers with static IPs. Site A is a BGP router with a single static IP. Site B has two cable modems with static IPs. The VPN is setup to use any of the static IPs on Site B to connect with. I have MOBIKE enabled which from what I can tell should help in multi-homed situations. I can manually connect the sites and things works great, but at some point the link will go down and not re-establish.

Time wise the link might stay up for 3 hours or it might stay up for 20 hours. I've yet to see it stay up for a day or longer. I am doing some hefty file transfers over the link but I wouldn't expect this to be a problem since the CPU load on both routers is just fine.

Any guidance on where I should look to try and see why the connection keeps breaking? Or is there a way I can tell it to keep trying to re-establish the link if it goes down?
July 05, 2025, 08:09:37 AM #1
So I've narrowed down the problem.

On Site A with the BGP router, it's originating the IPSec from the BGP peer side instead of the routed IP block. I assume this is a misconfiguration somewhere on my side. Is there a way to get the router to originate the IPSec connection from the routed IP block instead of the BGP Peer IPs?
July 05, 2025, 05:57:35 PM #2
That depends entirely on the feature set of the mentioned router. Check its documentation or consult vendor support or the $router community forum. There is no standard way that is the same for all products to do something like this.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
July 06, 2025, 06:25:04 AM #3
All routers involved except the upstream ISP side are OPNSense boxes running 25.1.10. I believe this forum is the correct community to be asking these questions.

Here's how the network is laid out:
BGP1 = 1.2.3.4/28
BGP2 = 2.3.4.5/28
IPBlock = 4.3.2.1/24

The issue I am having is when charon/strongswan goes to send packets to the remote OPNSense router it's picking the BGP Peer IPs instead of the routed IP block to initiate the connection. I can initiate the VPN from the remote side and it will establish and stay up for an hour or so. Eventually OPNSense goes to re-key (or whatever it does) and tries to use the BGP IPs to initiate the traffic instead of my IP Block.

Some other things of note is that 4.3.2.1 is a CARP IP with the static IP being 4.3.2.2.

I think what I need help with is making traffic initiated by OPNSense itself originate from 4.3.2.1 and not 1.2.3.4 or 2.3.4.5.
Print
Go Up Pages1
User actions