I've got a client with a pair of EdgeRouter Lites and they're having issues with a site-to-site IPSec VPN - the tunnel will drop and then not reestablish itself.
We've been through a fiar bit of troubleshooting, the latest things we have tried are:
1. Upgraded both ends to 1.8.5, deleted and recreated the VPN configuration in the GUI
2. Added dead-peer-detection as per other posts on this forum
dead-peer-detection {
action restart
interval 30
timeout 120
}3. Set connection-type to initiatie (changed from respond) at both ends
connection-type initiate
The only thing that works when the tunnel drops is to ssh into one of the routers and run sudo ipsec restart
Specifically running restart vpn instead does not work - it seems to send a SIGINT to shut down the VPN, but then it doesn't come back up again.
Any ideas how to make this tunnel stable, and how to make sure it re-establishes itself should it drop out?
Thanks,
Kai
Here's the relevant config from one end of the VPN:
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
dead-peer-detection {
action restart
interval 30
timeout 120
}
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface pppoe0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
site-to-site {
peer 1.2.3.4 {
authentication {
mode pre-shared-secret
pre-shared-secret my-preshared-secret
}
connection-type initiate
description Remote
ike-group FOO0
ikev2-reauth inherit
local-address 5.6.7.8
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.1.0/24
}
remote {
prefix 192.168.2.0/24
}
}
}
}