On 12-12-2013 10:48, Jon Gerdes wrote: >>>> >> There exists an IPSEC bug in pfSense 2.1 >> >> When the router's modem is restarted, the IPSEC tunnel fails to come back >> up.
The problem exists if you have IPsec tunnels with the hostname, the reload process fails to reload the firewall filters so IPsec never negotiates. edit /etc/rc.newipsecdns and add the line: filter_configure(); near the end, this causes firewall rules to reload properly. We had this issue too on 2 seperate clusters with about 300 tunnels. Kind regards, Seth >> >> This bug is documented in the following places by numerous people: >> >> https://redmine.pfsense.org/issues/3321 >> http://forum.pfsense.org/index.php/topic,69235.0.html >> http://forum.pfsense.org/index.php/topic,68776.0.html >> http://forum.pfsense.org/index.php/topic,67929.0.html >> http://forum.pfsense.org/index.php/topic,67625.0.html >> >> Regards, >> Christian Borchert > > Christian > > I run an awful lot of IPSEC tunnels and I generally don't get the problem you > describe in your trouble ticket which is not the same as the fault that is > barely described in the first forum posting you link. The rest are TL;DR for > me. > > Please try disabling DPD at both ends and set the address that you ping to > any address other than those on the other end's router - that address > doesn't even have to exist, it just has to be within the remote subnet but > not one that is bound to the router doing the IPSEC. > > Incidentally your report in Redmine does not describe what the other end > actually is - is it another pfSense box or something else? > > Cheers > Jon > > Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA > Registered England & Wales - 3981322 > > CONFIDENTIAL INFORMATION > This e-mail and any files attached with it are confidential and for the sole > use of the intended recipient(s). If you are not the intended recipient(s) > you are prohibited from using, copying or distributing this or any > information contained in it and should immediately notify the sender and > delete the message from your system. > > Internet communications are not secure and Blueloop Limited is not > responsible for unauthorised use by third parties nor for alteration or > corruption in transmission. Furthermore, while Blueloop Limited have taken > reasonable precautions to minimise the risk of software viruses, it cannot > accept liability for any damage which you may suffer as a result of such > viruses, and we therefore recommend you carry out your own virus checks on > receipt of any e-mail. > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
