Score:0

Why do we lose IPSec connections and can't re-establish them?

cn flag

We have tens of IPSec connections between our office and customer sites. At the office we use pfSense V2.4.5 as VPN gateway and placing Ubiquiti Edgerouter X devices with the latest firmware on the customer sites to establish the connection with. The Edgerouter X always establishes the connection as we not always have the possibility to forward ports on the customer network(s). It does this by pinging a internal ip on our office site once every minute.

In general the connections are stable and everything is working fine and like expected, though some times a connection is lost "randomly" and doensn't come back. I can see in pfSense (System logs / IPsec) that the Edgerouter tries to connect to pfSense.

pfSense log: enter image description here

I don't understand what happens here as this specific connection worked fine and stable for months. Nothing has changed to the config, neither on the Edgerouter X nor in pfSense Also no firmware updates are installed or reboots happened.

What we tried to fix the connection:

  • Restart Ubitquiti Edgerouter via UNMS (centralized management tool)
  • Hard restart by unplug the power and reconnect it
  • Deleting the IPSec settings on the Edgerouter and re-configure IPsec on the edgerouter followed by a reboot as it still didn't work.
  • Reconfiguring the IPSec connection in pfSense (No reboot yet as this will pull down our whole network.

For now we have around 3 "broken" connections of the 30-35 connections. Whats the cause and how can i solve this? We need reliable VPN connections and if they are disconnected for really short period that they at least need to reconnect automatically!

Ubiquiti Edgerouter-X config: Offcourse the pfSense config is corresponding with the config bellow as the connection worked.

 ipsec {
     allow-access-to-local-interface enable
     auto-firewall-nat-exclude enable
     esp-group FOO0 {
         compression disable
         lifetime 3600
         mode tunnel
         pfs enable
         proposal 1 {
             encryption aes128
             hash sha256
         }
         proposal 2 {
             encryption aes128
             hash sha256
         }
     }
     ike-group FOO0 {
         ikev2-reauth no
         key-exchange ikev2
         lifetime 28800
         proposal 1 {
             dh-group 14
             encryption aes128
             hash sha256
         }
         proposal 2 {
             dh-group 14
             encryption aes128
             hash sha256
         }
     }
     site-to-site {
         peer ipsec.company.de {
             authentication {
                 id an_id_here
                 mode pre-shared-secret
                 pre-shared-secret Some_key_h3r3
             }
             connection-type initiate
             default-esp-group FOO0
             description IPSec_connection
             ike-group FOO0
             ikev2-reauth inherit
             local-address any
             tunnel 1 {
                 allow-nat-networks disable
                 allow-public-networks disable
                 esp-group FOO0
                 local {
                     prefix 10.130.3.0/24
                 }
                 remote {
                     prefix 10.128.0.0/16
                 }
             }
         }
     }
 }

screenshot pfSense config: enter image description here

UPDATE: All our Edgerouters are connected to our UNMS server and by coincidence i restored a backup (made automatically by UNMS) and the IPSec connection worked again. I tried this at 2 different (ER-X) devices with the same IPSec issue and it solved the "broken" IPSec connection issue at bot devices. The strange thing is that I'm 100% sure that no manual changes are made on both devices between the date of the backup and the time the connection broke. This let met think that there is a bug in EdgeOS somewhere??

me flag
I have the same problem and I don't know how to solve it. Reset ipsec tunnel on the ER-X side by CLI helps for me, but it doesn't convenient. clear vpn ipsec-peer <peer ip>
CodeNinja avatar
cn flag
We tried `restart vpn` and `clear vpn ipsec-peer` as well but didn't work in our situations (we had it 2 times on 2 different edge routers for now). Fortunately this where the only 2 times we had the issue. "Fingers crossed"
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.