**SOLVED** - IPSEC site-to-site P2's not staying connected

Started by Kadence, November 13, 2025, 09:15:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 13, 2025, 09:15:55 PM Last Edit: November 19, 2025, 11:48:56 AM by Kadence
This one has me scratching my head.
I have an OPNSense virtual machine running in my home office that connects to a handful of client sites with a mixed array of devices at the other end.
This isn't really relevant but I have found lately that I'm needing to restart OPNSense about once every 2 weeks when my Internet goes down. It seemed to be a DNS issue. I suspected that the underlying issue might have been my aging ESX server. Rather than migrate my VM I built a new Proxmox server and rolled a fresh VM from scratch to hold OPNSense. That has solved my Internet outage issues.

Since I built the new instance from scratch I figured now was a good time to rebuild my IPSEC tunnels using the new Connections configuration tool.
I've only tackled one so far and got it set up without too much trouble to connect to a clients pfSense instance.

All went perfectly well but I'm finding after a certain amount of time (the duration of which I haven't determined) my Phase 2 will disconnect.
Overview shows that the Phase 1 is still connected. Disconnecting and reconnecting the Phase 1 will re-establish the Phase 2 without any issues it just drops later on.

In reading through the forums I see that setting the REQID is a potential fix. This particular connection had 3x Phase 2's in it and I extracted the REQID from the pfSense end to put into OPNSense but that didn't change much for me with preventing the Phase2 from dropping.
So far I have Set Start action to Start and DPD to Trap as well as tried setting Start to Start+Trap. Nothing has changed the outcome for me.

While this is technically a separate issue, having multiple Phase2's appears to be a minor issue. If I set separate Phase2's for each LAN I want to connect to then OPNSense will only connect the first one in the list.
If I put all of the subnets that I want to connect to into one Phase2 then all of them will connect and work fine, until the Phase2 disconnects.
The pfSense instance that I'm connecting to has separate REQID's for each Phase2 so if REQID happens to be part of the fix to prevent my Phase2 from dropping but OPNSense won't connect them all if there are multiple Phase2's then I need to find a way to establish multiple Phase2's with REQID's and convince OPNSense to connect all of them. 

So far it's not a big deal for me to disconnect/reconnect a Phase1 in order to do what I need to do and just let it connect.
Some of my remote sites are running OPNSense appliances and if I want to switch to configuring them with Connections (or replace some of the pfSense sites with OPNSense) then I'm hoping to find a solution that will prevent the Phase2's from dropping before I go ahead with that. It's not crucial that my tunnels stay active all the time but some of the others have tunnels between them that I'll need to stay active so I'm hoping to solve this puzzle in my network before I push on.

I'd love to hear any thoughts anyone might have as I'm clearly missing something.

November 19, 2025, 12:19:21 AM #1
I seem to have found my answer.
My Phase 2's were dropping at the Child SA Lifetime of 3600 seconds instead of rekeying.

I tried setting up this new OPNSense instance without tinkering with the IPSEC settings too much from the defaults for the sake of making it easy and trying out as much of the default stuff as possible.
I had to do a little trial and error in pfSense to find settings that would work with an OPNSense Connection set at the EA Defaults.
That seemed a little odd to me that the settings on the OPNSense end should be sort of a mystery.

In pfSense the Phase 1's had an Encryption Algorithm of AES256 with a hash of SHA512 and PFS at 14 (I also had it connect with a PFS of 16)
The Phase 2's were set the same.
These were just the settings that I settled on that happened to establish a connection and let the tunnel work.
While it appeared to be fine, it did leave me with the Phase2's dropping after an hour.

It occurred to me that I didn't fully understand what was happening with the EA set as "Default" in OPNSense. I realize that it utilizes a set of EA's that are optimal for connectivity but I'm not too great a fan of that "just trust it" sort of functionality.
I opted to disable Default and changed the algorithms to a fixed setting.
I set the Phase 1's to aes256gcm16-sha512-ecp521[DH21,NIST EC]
I set the Phase 2's to aes256gcm16-ecp512[DH21,NIST EC]

After adjusting the settings in 3 different pfSense endpoints to the same I've now had 3 tunnels rekey successfully several times without any issues.

I haven't needed to set the REQID and I have all of my LAN subnets configured in one Phase2 rather than multiple Phase 2's like on the pfSense end.
Print
Go Up Pages1
User actions