Community discussions

 
Cougar281
newbie
Topic Author
Posts: 29
Joined: Mon Sep 23, 2013 3:52 am

Site to Site IPSec VPN stops passing traffic

Thu Jul 06, 2017 3:54 am

A quick overview of my network. I have a main location at my home where I have a Watchguard XTM525 firewall. From here, I have three Sit to Site VPNs. One goes to a Watchguard 26w, another goes to a virtual pfSense firewall, and the third goes to a Mikrotik RB951G-2HnD (6.38.5). The VPNs to the 26w and the pfSense firewall I never have any issues with.

But the one to the Mikrotik, for reasons I haven't been able to figure out, randomly stops passing traffic, and the only way I can get it to pass traffic again is to go to IP > IPSec > Remote Peers, double click the peer and click 'Kill connections'. Once I do that, the tunnel is re-established and it passes traffic normally again.

I've looked over the config multiple times trying to figure out what I might be missing, but I haven't been able to find anything that stands out. Does anyone have any suggestions as to wha tI might be missing that would fix this issue?
 
Cougar281
newbie
Topic Author
Posts: 29
Joined: Mon Sep 23, 2013 3:52 am

Re: Site to Site IPSec VPN stops passing traffic

Tue Jul 11, 2017 3:15 pm

No one has any thoughts as to what is causing the VPN from the Mikrotik to stop passing traffic randomly until I kill the connections?
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Site to Site IPSec VPN stops passing traffic

Tue Jul 11, 2017 8:26 pm

It may be something about time outs, or 1 end kills the connection after some idle time.
When the connection is dead (but still shows connected on both sides), use packet sniffer to capture IPSec packets.
Also turn on logging for IPSec, maybe something useful will show in the logs.

I did this with Cisco to Mikrotik. There was a problem with the Cisco shutting down the IPSec tunnel but the Mikrotik wasn't releasing it's security associations. My solution was to use a script that would ping the Cisco ever 5 seconds. if the ping failed 3 times in a row, the script would kill peers and flush the SAs. For me this issue only happened once a day, nobody noticed the 20 seconds of downtime each day.
 
tr00g33k
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sun Mar 29, 2015 3:58 pm

Re: Site to Site IPSec VPN stops passing traffic

Tue Jul 11, 2017 8:55 pm

If you have PFS (perfect forward secrecy) enabled, try disable-ing it. Check all the timers lifetime for phase1 & phase2.

Another thing to try is to ping every 1-3 seconds through tunnel, from one side and from another, and see if the tunnel goes down, even if constantly passing traffic through tunnel.

Who is online

Users browsing this forum: No registered users and 90 guests