cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
892
Views
0
Helpful
3
Replies

VPN Tunnel hangs after Smart Link Backup Failover

Daniel Hoegele
Level 1
Level 1

I'm using a RV082 (v4.2.3.03 ) in a  branch office to establish a VPN tunnel to our main office firewall (pfsense 2.1.4).

As long as I'm using a single WAN connection on the RV082, everything runs fine. When I add a second WAN in "Smart Link Backup" mode, the VPN connection "hangs" (shows "connected" but IP traffic fails) after almost each WAN reconnect (our ISP reconnects every 24h).

WAN Setup:
WAN1 PPPoE with Keep Alive redial: 30s. Auto MTU.
WAN2 PPPoE with Keep Alive redial: 30s. Auto MTU
WAN2 gets the same IP address if WAN1 goes down.

Dual WAN Setup:
Smart Link Backup: WAN1 primary
Fallback after: 30s
WAN1/WAN2 Sercice Detection: Retries: 5, Timeout: 60s, Failover: Keep log and remove connection

VPN Setup:
Tunnel Interface: WAN1
Security Type: "IP only"
IKE-PSK, Group2, AES-256, SHA1
Phas1: 28800s
Phase2: 3600s
main mode
Kee-Alive on
DPD: 10s
Tunnel Backup: Interface WAN2, same remote IP, Idle Time 60s

Logs:
After a WAN reconnect I get following log entries in the RV082:
Jul 17 06:49:17 2014 System Log [pppoe] Connecting PPPoE socket: 88:43:e1:e5:be:41 3dcd eth2 
Jul 17 06:49:17 2014 System Log [pppoe] Got connection: 3dcd 
Jul 17 06:49:19 2014 VPN Log packet from [Remote IP]:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK 
Jul 17 06:49:55 2014 Kernel last message repeated 2 times 

and the pfsense:
racoon: [SITE]: [Remote IP] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP [Remote IP][0]->[Local IP][0]
racoon: ERROR: phase1 negotiation failed due to time up. f5e56cfa623a88f0:0000000000000000
racoon: [SITE]: [Remote IP] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
racoon: INFO: delete phase 2 handler.
racoon: [SITE]: [Remote IP] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP [Remote IP][0]->[Local IP][0]
racoon: INFO: begin Identity Protection mode.

 

This repeats until I open and save the VPN settings on the RV082. Thereafter the VPN is up again:
Jul 17 09:03:25 2014 System Log [pppoe] Connecting PPPoE socket: 88:43:e1:e5:be:41 5b40 eth2 
Jul 17 09:03:25 2014 System Log [pppoe] Got connection: 5b40 
Jul 17 09:03:30 2014 VPN Log packet from [Remote IP]:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK 
Jul 17 09:03:36 2014 VPN Log (g2gips0) #5: [Tunnel Established] ISAKMP SA established 
Jul 17 09:03:36 2014 System Log gateway_to_gateway.htm is changed. 
Jul 17 09:03:37 2014 VPN Log (g2gips0) #6: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x0ddb99e0 <0x9095ae0c} 
Jul 17 09:03:37 2014 VPN Log (g2gips0) #7: [Tunnel Established] IPsec SA established {ESP=>0x01128af2 <0x8ccce43c} 
Jul 17 09:03:40 2014 VPN Log (g2gips0) #8: [Tunnel Established] sent MR3, ISAKMP SA established 
Jul 17 09:03:57 2014 System Log network.htm is changed. 
Jul 17 09:04:01 2014 System Log DMZ connection is up : 0.0.0.0/255.255.255.0 on eth2 

 

Any ideas how to solve this?

3 Replies 3

Ismael Arroyo
Level 1
Level 1

 

This is why logs are indicating that phase 2 never sees a phase 1 connection. Phase 1 times out because it's unable to find the correct WAN ip.

When the connection fails from one public ip and establishes another connection  with a different public ip the pfsense  VPN will not now of the new public. The one way it will know is by having the tunnel backup feature on both ends of the tunnel. 

First you need 2 devices on both ends that support VPN failover. The one device i can recall that has this feature is the RV320. With two RV320 on both ends would be able do VPN failover with no issues. 

 

 

 

 

Hi Ismael!

In my case the WAN ip doesn't change: I've got a fixed IP that works on both physical DSL lines. So if WAN1 fails, WAN2 will establish the connection with the same IP. Therefore I don't understand why the VPN gets stuck. It should be almost the same as a WAN1 without failover...

Hi Ismael,

 

  How do I configure the VPN FailOver using 2 CISCO RV320?

 

  I have 2 links in 2 sites.

 

  One VPN is Ok. But the failover do not work.

 

  Should I configure the Remote IP address on FailOver?

 

  If you have a manual to do this configuration, please, send the link to me.

 

Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: