IPSEC VPN times out when Internet is up on both sides

cwensink · 7 June 2021 14:35

Hello Everyone,

We seem to have continual problems with our IPSEC point to point connection between the main office, and our remote sattelite office. Every week or every other week the VPN connection goes down and the only solution we have found is to restart the IPFire at the remote sattelite office. Here is the IPSEC logs at the remote office:

ipfire.remotehost
Traffic: In 169.01 kbit/s   Out 834.49 kbit/s
SystemStatusNetworkServicesFirewallIPFireLogs
System Logs
Settings:
Section: 	
IPSec
Month: 	
June
 Day: 	
7
Log
Total hits for log section ipsec June 07, 2021: 3064

Older	Newer
Time	Section	 
08:34:49	charon:	15[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:34:49	charon:	15[ENC] generating INFORMATIONAL response 9 [ ]
08:34:49	charon:	15[ENC] parsed INFORMATIONAL request 9 [ ]
08:34:49	charon:	15[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:34:19	charon:	11[ENC] parsed INFORMATIONAL response 5 [ ]
08:34:19	charon:	11[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:34:19	charon:	09[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:34:19	charon:	09[ENC] generating INFORMATIONAL request 5 [ ]
08:34:19	charon:	09[IKE] sending DPD request
08:33:49	charon:	14[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:33:49	charon:	14[ENC] generating INFORMATIONAL response 8 [ ]
08:33:49	charon:	14[ENC] parsed INFORMATIONAL request 8 [ ]
08:33:49	charon:	14[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:32:49	charon:	09[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:32:49	charon:	09[ENC] generating INFORMATIONAL response 7 [ ]
08:32:49	charon:	09[ENC] parsed INFORMATIONAL request 7 [ ]
08:32:49	charon:	09[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:32:19	charon:	12[ENC] parsed INFORMATIONAL response 4 [ ]
08:32:19	charon:	12[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:32:19	charon:	11[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:32:19	charon:	11[ENC] generating INFORMATIONAL request 4 [ ]
08:32:19	charon:	11[IKE] sending DPD request
08:31:49	charon:	06[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:31:49	charon:	06[ENC] generating INFORMATIONAL response 6 [ ]
08:31:49	charon:	06[ENC] parsed INFORMATIONAL request 6 [ ]
08:31:49	charon:	06[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:31:19	charon:	09[ENC] parsed INFORMATIONAL response 3 [ ]
08:31:19	charon:	09[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:31:19	charon:	08[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:31:19	charon:	08[ENC] generating INFORMATIONAL request 3 [ ]
08:31:19	charon:	08[IKE] sending DPD request
08:30:49	charon:	11[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:30:49	charon:	11[ENC] generating INFORMATIONAL response 5 [ ]
08:30:49	charon:	11[ENC] parsed INFORMATIONAL request 5 [ ]
08:30:49	charon:	11[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:29:19	charon:	12[ENC] parsed INFORMATIONAL response 2 [ ]
08:29:19	charon:	12[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:29:19	charon:	11[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:29:19	charon:	11[ENC] generating INFORMATIONAL request 2 [ ]
08:29:19	charon:	11[IKE] sending DPD request
08:28:49	charon:	06[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:28:49	charon:	06[ENC] generating INFORMATIONAL response 4 [ ]
08:28:49	charon:	06[ENC] parsed INFORMATIONAL request 4 [ ]
08:28:49	charon:	06[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:27:49	charon:	12[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:27:49	charon:	12[ENC] generating INFORMATIONAL response 3 [ ]
08:27:49	charon:	12[ENC] parsed INFORMATIONAL request 3 [ ]
08:27:49	charon:	12[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:27:19	charon:	07[ENC] parsed INFORMATIONAL response 1 [ ]
08:27:19	charon:	07[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:27:19	charon:	05[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:27:19	charon:	05[ENC] generating INFORMATIONAL request 1 [ ]
08:27:19	charon:	05[IKE] sending DPD request
08:26:49	charon:	06[ENC] parsed INFORMATIONAL response 0 [ ]
08:26:49	charon:	06[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:26:49	charon:	15[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:26:49	charon:	15[ENC] generating INFORMATIONAL request 0 [ ]
08:26:49	charon:	15[IKE] sending DPD request
08:25:51	charon:	13[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (57 byt es)
08:25:51	charon:	13[ENC] generating INFORMATIONAL response 2 [ ]
08:25:51	charon:	13[ENC] parsed INFORMATIONAL request 2 [ ]
08:25:51	charon:	13[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:23:43	charon:	07[IKE] IKE_SA deleted
08:23:43	charon:	07[IKE] IKE_SA deleted
08:23:43	charon:	07[ENC] parsed INFORMATIONAL response 3 [ ]
08:23:43	charon:	07[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:23:43	charon:	05[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (65 byt es)
08:23:43	charon:	05[ENC] generating INFORMATIONAL request 3 [ D ]
08:23:43	charon:	05[IKE] sending DELETE for IKE_SA TOFSP[1]
08:23:43	charon:	05[IKE] deleting IKE_SA TOFSP[1] between local-ip[B]...main-office-remote-ip[C]
08:23:43	charon:	05[IKE] deleting IKE_SA TOFSP[1] between local-ip[B]...main-office-remote-ip[C]
08:23:33	charon:	09[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (286 by tes)
08:23:33	charon:	09[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIK E_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
08:23:33	charon:	09[IKE] CHILD_SA TOFSP{2} established with SPIs c3e65cb8_i c80e95c0_o and TS 10. 1.10.0/24 === 10.5.1.0/24
08:23:33	charon:	09[IKE] CHILD_SA TOFSP{2} established with SPIs c3e65cb8_i c80e95c0_o and TS 10. 1.10.0/24 === 10.5.1.0/24
08:23:33	charon:	09[CFG] selected proposal: ESP:CHACHA20_POLY1305/NO_EXT_SEQ
08:23:33	charon:	09[IKE] maximum IKE_SA lifetime 10545s
08:23:33	charon:	09[IKE] scheduling reauthentication in 10005s
08:23:33	charon:	09[IKE] IKE_SA TOFSP[2] established between local-ip[B]...main-office-remote-ip[C]
08:23:33	charon:	09[IKE] IKE_SA TOFSP[2] established between local-ip[B]...main-office-remote-ip[C]
08:23:33	charon:	09[IKE] schedule delete of duplicate IKE_SA for peer 'C' due to uniqueness polic y and suspected reauthentication
08:23:33	charon:	09[IKE] authentication of 'B' (myself) with pre-shared key
08:23:33	charon:	09[IKE] peer supports MOBIKE
08:23:33	charon:	09[IKE] authentication of 'C' with pre-shared key successful
08:23:33	charon:	09[CFG] selected peer config 'TOFSP'
08:23:33	charon:	09[CFG] looking for peer configs matching local-ip[B]...main-office-remote-ip[C]
08:23:33	charon:	09[IKE] received 1 cert requests for an unknown ca
08:23:33	charon:	09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP ) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONL Y) N(MSG_ID_SYN_SUP) ]
08:23:33	charon:	09[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (860 b ytes)
08:23:29	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (261 byte s)
08:23:29	charon:	11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) C ERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
08:23:29	charon:	11[IKE] sending cert request for "C=US, ST=WI, L=Hudson, O=3DPA, OU=IS, CN=3DPA CA, E=netadmin@five-star-plastics.com"
08:23:29	charon:	11[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
08:23:29	charon:	11[IKE] main-office-remote-ip is initiating an IKE_SA
08:23:29	charon:	11[IKE] main-office-remote-ip is initiating an IKE_SA
08:23:29	charon:	11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG _SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:23:29	charon:	11[NET] received packet: from main-office-remote-ip[500] to local-ip[500] (5076 by tes)
08:23:10	charon:	09[ENC] parsed INFORMATIONAL response 2 [ ]
08:23:10	charon:	09[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (57 by tes)
08:23:10	charon:	08[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (105 by tes)
08:23:10	charon:	08[ENC] generating INFORMATIONAL request 2 [ N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4 _ADDR) N(ADD_4_ADDR) ]
08:23:10	charon:	08[IKE] sending address list update using MOBIKE
08:23:10	charon:	10[IKE] peer supports MOBIKE
08:23:10	charon:	10[IKE] received AUTH_LIFETIME of 9855s, scheduling reauthentication in 9315s
08:23:10	charon:	10[IKE] CHILD_SA TOFSP{1} established with SPIs ce0311a4_i c704275f_o and TS 10. 1.10.0/24 === 10.5.1.0/24
08:23:10	charon:	10[IKE] CHILD_SA TOFSP{1} established with SPIs ce0311a4_i c704275f_o and TS 10. 1.10.0/24 === 10.5.1.0/24
08:23:09	charon:	14[KNL] 10.9.1.1 appeared on tun0
08:23:09	charon:	13[KNL] interface tun0 activated
08:23:09	charon:	10[CFG] selected proposal: ESP:CHACHA20_POLY1305/NO_EXT_SEQ
08:23:09	charon:	10[IKE] maximum IKE_SA lifetime 10313s
08:23:09	charon:	10[IKE] scheduling reauthentication in 9773s
08:23:09	charon:	10[IKE] IKE_SA TOFSP[1] established between local-ip[B]...main-office-remote-ip[C]
08:23:09	charon:	10[IKE] IKE_SA TOFSP[1] established between local-ip[B]...main-office-remote-ip[C]
08:23:09	charon:	10[IKE] authentication of 'C' with pre-shared key successful
08:23:09	charon:	10[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SU P) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
08:23:09	charon:	10[NET] received packet: from main-office-remote-ip[4500] to local-ip[4500] (286 b ytes)
08:23:09	charon:	09[NET] sending packet: from local-ip[4500] to main-office-remote-ip[4500] (856 by tes)
08:23:09	charon:	09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(E AP_ONLY) N(MSG_ID_SYN_SUP) ]
08:23:09	charon:	09[IKE] establishing CHILD_SA TOFSP{1}
08:23:09	charon:	09[IKE] establishing CHILD_SA TOFSP{1}
08:23:09	charon:	09[IKE] authentication of 'B' (myself) with pre-shared key
08:23:09	charon:	09[IKE] sending cert request for "C=US, ST=WI, L=Hudson, O=3DPA, OU=IS, CN=3DPA CA, E=netadmin@five-star-plastics.com"
08:23:09	charon:	09[IKE] received 1 cert requests for an unknown ca
08:23:09	charon:	09[CFG] selected proposal: IKE:CHACHA20_POLY1305/PRF_HMAC_SHA2_512/CURVE_25519
08:23:09	charon:	09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTR EQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
08:23:09	charon:	09[NET] received packet: from main-office-remote-ip[500] to local-ip[500] (261 byt es)
08:23:09	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:23:09	charon:	07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:23:09	charon:	07[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:23:09	charon:	07[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:23:09	charon:	07[CFG] received stroke: initiate 'TOFSP'
08:23:09	charon:	05[CFG] added configuration 'TOFSP'
08:23:09	charon:	05[CFG] received stroke: add connection 'TOFSP'
08:23:09	charon:	00[JOB] spawning 16 worker threads
08:23:09	charon:	00[LIB] loaded plugins: charon aes rc2 des sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pe m openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-ide ntity eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-noauth dhcp counters
08:23:09	charon:	00[CFG] loaded 0 RADIUS server configurations
08:23:09	charon:	00[CFG] loaded IKE secret for @B @C
08:23:09	charon:	00[CFG] loaded RSA private key from '/var/ipfire/certs/hostkey.pem'
08:23:09	charon:	00[CFG] loading secrets from '/etc/ipsec.user.secrets'
08:23:09	charon:	00[CFG] loading secrets from '/etc/ipsec.secrets'
08:23:09	charon:	00[CFG] loaded crl from '/etc/ipsec.d/crls/cacrl.pem'
08:23:09	charon:	00[CFG] loading crls from '/etc/ipsec.d/crls'
08:23:09	charon:	00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
08:23:09	charon:	00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
08:23:09	charon:	00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
08:23:09	charon:	00[CFG] loaded ca certificate "C=US, ST=WI, L=Hudson, O=3DPA, OU=IS, CN=3DPA C A, E=netadmin@five-star-plastics.com" from '/etc/ipsec.d/cacerts/cacert.pem'
08:23:09	charon:	00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
08:23:09	charon:	00[DMN] Starting IKE charon daemon (strongSwan 5.9.2, Linux 4.14.212-ipfire, x86 _64)
08:20:15	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:20:15	charon:	07[IKE] retransmit 5 of request with message ID 0
08:19:33	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:19:33	charon:	07[IKE] retransmit 4 of request with message ID 0
08:19:10	charon:	06[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:19:10	charon:	06[IKE] retransmit 3 of request with message ID 0
08:18:57	charon:	08[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:18:57	charon:	08[IKE] retransmit 2 of request with message ID 0
08:18:50	charon:	13[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:18:50	charon:	13[IKE] retransmit 1 of request with message ID 0
08:18:46	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:18:46	charon:	11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:18:46	charon:	11[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:18:46	charon:	11[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:18:46	charon:	11[IKE] peer not responding, trying again (444/0)
08:18:46	charon:	11[IKE] giving up after 5 retransmits
08:17:30	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:17:30	charon:	07[IKE] retransmit 5 of request with message ID 0
08:16:48	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:16:48	charon:	16[IKE] retransmit 4 of request with message ID 0
08:16:25	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:16:25	charon:	11[IKE] retransmit 3 of request with message ID 0
08:16:12	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:16:12	charon:	11[IKE] retransmit 2 of request with message ID 0
08:16:05	charon:	08[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:16:05	charon:	08[IKE] retransmit 1 of request with message ID 0
08:16:01	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:16:01	charon:	16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:16:01	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:16:01	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:16:01	charon:	16[IKE] peer not responding, trying again (443/0)
08:16:01	charon:	16[IKE] giving up after 5 retransmits
08:14:45	charon:	06[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:14:45	charon:	06[IKE] retransmit 5 of request with message ID 0
08:14:03	charon:	14[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:14:03	charon:	14[IKE] retransmit 4 of request with message ID 0
08:13:40	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:13:40	charon:	11[IKE] retransmit 3 of request with message ID 0
08:13:27	charon:	14[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:13:27	charon:	14[IKE] retransmit 2 of request with message ID 0
08:13:20	charon:	08[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:13:20	charon:	08[IKE] retransmit 1 of request with message ID 0
08:13:16	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:13:16	charon:	16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:13:16	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:13:16	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:13:16	charon:	16[IKE] peer not responding, trying again (442/0)
08:13:16	charon:	16[IKE] giving up after 5 retransmits
08:12:00	charon:	12[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:12:00	charon:	12[IKE] retransmit 5 of request with message ID 0
08:11:18	charon:	06[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:11:18	charon:	06[IKE] retransmit 4 of request with message ID 0
08:10:55	charon:	12[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:10:55	charon:	12[IKE] retransmit 3 of request with message ID 0
08:10:42	charon:	02[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:10:42	charon:	02[IKE] retransmit 2 of request with message ID 0
08:10:35	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:10:35	charon:	07[IKE] retransmit 1 of request with message ID 0
08:10:31	charon:	05[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:10:31	charon:	05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:10:31	charon:	05[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:10:31	charon:	05[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:10:31	charon:	05[IKE] peer not responding, trying again (441/0)
08:10:31	charon:	05[IKE] giving up after 5 retransmits
08:09:15	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:09:15	charon:	16[IKE] retransmit 5 of request with message ID 0
08:08:33	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:08:33	charon:	11[IKE] retransmit 4 of request with message ID 0
08:08:10	charon:	09[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:08:10	charon:	09[IKE] retransmit 3 of request with message ID 0
08:07:57	charon:	13[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:07:57	charon:	13[IKE] retransmit 2 of request with message ID 0
08:07:50	charon:	08[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:07:50	charon:	08[IKE] retransmit 1 of request with message ID 0
08:07:46	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:07:46	charon:	16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:07:46	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:07:46	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:07:46	charon:	16[IKE] peer not responding, trying again (440/0)
08:07:46	charon:	16[IKE] giving up after 5 retransmits
08:06:30	charon:	12[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:06:30	charon:	12[IKE] retransmit 5 of request with message ID 0
08:05:48	charon:	10[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:05:48	charon:	10[IKE] retransmit 4 of request with message ID 0
08:05:25	charon:	08[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:05:25	charon:	08[IKE] retransmit 3 of request with message ID 0
08:05:12	charon:	10[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:05:12	charon:	10[IKE] retransmit 2 of request with message ID 0
08:05:05	charon:	02[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:05:05	charon:	02[IKE] retransmit 1 of request with message ID 0
08:05:01	charon:	10[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:05:01	charon:	10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:05:01	charon:	10[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:05:01	charon:	10[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:05:01	charon:	10[IKE] peer not responding, trying again (439/0)
08:05:01	charon:	10[IKE] giving up after 5 retransmits
08:03:45	charon:	13[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:03:45	charon:	13[IKE] retransmit 5 of request with message ID 0
08:03:03	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:03:03	charon:	16[IKE] retransmit 4 of request with message ID 0
08:02:40	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:02:40	charon:	11[IKE] retransmit 3 of request with message ID 0
08:02:27	charon:	14[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:02:27	charon:	14[IKE] retransmit 2 of request with message ID 0
08:02:20	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:02:20	charon:	07[IKE] retransmit 1 of request with message ID 0
08:02:16	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:02:16	charon:	16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08:02:16	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:02:16	charon:	16[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
08:02:16	charon:	16[IKE] peer not responding, trying again (438/0)
08:02:16	charon:	16[IKE] giving up after 5 retransmits
08:01:00	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:01:00	charon:	16[IKE] retransmit 5 of request with message ID 0
08:00:18	charon:	12[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
08:00:18	charon:	12[IKE] retransmit 4 of request with message ID 0
07:59:55	charon:	10[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:59:55	charon:	10[IKE] retransmit 3 of request with message ID 0
07:59:42	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:59:42	charon:	16[IKE] retransmit 2 of request with message ID 0
07:59:34	charon:	09[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:59:34	charon:	09[IKE] retransmit 1 of request with message ID 0
07:59:30	charon:	06[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:59:30	charon:	06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
07:59:30	charon:	06[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:59:30	charon:	06[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:59:30	charon:	06[IKE] peer not responding, trying again (437/0)
07:59:30	charon:	06[IKE] giving up after 5 retransmits
07:58:15	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:58:15	charon:	16[IKE] retransmit 5 of request with message ID 0
07:57:33	charon:	13[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:57:33	charon:	13[IKE] retransmit 4 of request with message ID 0
07:57:10	charon:	11[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:57:10	charon:	11[IKE] retransmit 3 of request with message ID 0
07:56:57	charon:	09[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:56:57	charon:	09[IKE] retransmit 2 of request with message ID 0
07:56:49	charon:	14[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:56:49	charon:	14[IKE] retransmit 1 of request with message ID 0
07:56:45	charon:	12[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:56:45	charon:	12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
07:56:45	charon:	12[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:56:45	charon:	12[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:56:45	charon:	12[IKE] peer not responding, trying again (436/0)
07:56:45	charon:	12[IKE] giving up after 5 retransmits
07:55:30	charon:	10[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:55:30	charon:	10[IKE] retransmit 5 of request with message ID 0
07:54:48	charon:	02[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:54:48	charon:	02[IKE] retransmit 4 of request with message ID 0
07:54:24	charon:	12[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:54:24	charon:	12[IKE] retransmit 3 of request with message ID 0
07:54:12	charon:	14[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:54:12	charon:	14[IKE] retransmit 2 of request with message ID 0
07:54:04	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:54:04	charon:	07[IKE] retransmit 1 of request with message ID 0
07:54:00	charon:	06[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:54:00	charon:	06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
07:54:00	charon:	06[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:54:00	charon:	06[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:54:00	charon:	06[IKE] peer not responding, trying again (435/0)
07:54:00	charon:	06[IKE] giving up after 5 retransmits
07:52:45	charon:	02[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:52:45	charon:	02[IKE] retransmit 5 of request with message ID 0
07:52:03	charon:	09[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:52:03	charon:	09[IKE] retransmit 4 of request with message ID 0
07:51:39	charon:	05[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:51:39	charon:	05[IKE] retransmit 3 of request with message ID 0
07:51:26	charon:	09[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:51:26	charon:	09[IKE] retransmit 2 of request with message ID 0
07:51:19	charon:	05[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:51:19	charon:	05[IKE] retransmit 1 of request with message ID 0
07:51:15	charon:	14[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:51:15	charon:	14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
07:51:15	charon:	14[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:51:15	charon:	14[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:51:15	charon:	14[IKE] peer not responding, trying again (434/0)
07:51:15	charon:	14[IKE] giving up after 5 retransmits
07:50:00	charon:	07[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:50:00	charon:	07[IKE] retransmit 5 of request with message ID 0
07:49:18	charon:	16[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:49:18	charon:	16[IKE] retransmit 4 of request with message ID 0
07:48:54	charon:	10[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:48:54	charon:	10[IKE] retransmit 3 of request with message ID 0
07:48:41	charon:	13[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:48:41	charon:	13[IKE] retransmit 2 of request with message ID 0
07:48:34	charon:	08[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:48:34	charon:	08[IKE] retransmit 1 of request with message ID 0
07:48:30	charon:	02[NET] sending packet: from local-ip[500] to main-office-remote-ip[500] (932 byte s)
07:48:30	charon:	02[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N( FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
07:48:30	charon:	02[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip
07:48:30	charon:	02[IKE] initiating IKE_SA TOFSP[1] to main-office-remote-ip

During this time of the VPN being down, the internet connection is up and staff can get to the internet on both sides of the connection with no issues. I I cannot ping the remote Office’s public IP when the connection is down. As soon as the IPFire at the remote office is rebooted, then everything is fine again.

Local Main office Settings:
Connection: Enabled
Local IP Address - Default IP address)
Remote host/IP
Local subnet: 10.5.1.0/255.255.255.0
Remote Subnet 10.1.10.0/255.255.255.0
Local ID: @C
Remote ID @B

Mode: Tunnel
Internface - None (Default)
IP address/Subnet Masc (blank)
Advanced:
Lifetime: IKE 3 Hours ESP: 1 Hours
Action: restart
Timeout: 120
Delay: 30
X IKE+ESP use only proposed settings
X Perfect forward secrecy (PFS)
O Negotiate payload compression
O Force using MOBIKE (only IKEv2)
Start Action: Always On
Inactivity Timeout: 24 hours

Remote office settings:
Connection: Enabled
Local IP Address - Default IP address)
Remote host/IP
Local subnet: 10.5.10.0/255.255.255.0
Remote Subnet 10.5.1.0/255.255.255.0
Local ID: @B
Remote ID @C

Mode: Tunnel
Interface - None (Default)
IP address/Subnet Masc (blank)
MTU: 1500
Advanced:
Action: restart
Timeout: 120
Delay: 30
X IKE+ESP use only proposed settings
X Perfect forward secrecy (PFS)
O Negotiate payload compression
O Force using MOBIKE (only IKEv2)
Start Action: Always On
Inactivity Timeout: 24 hours

Lifetime: IKE: 3 hours ESP: 1 hours

The IKE and ESP encryption standards match on both sides of the tunnel.

Restarting the remote router is an easy enough fix, but I don’t want to have to do that every time the tunnel goes down.

I have tried using the connection scheduler to schedule IPSEC the service to restart. I have a restart scheduled for IPSEC at the local office every day at midnight, and a scheduled restart at the remote office at Noon every day, just to refresh the connection on both sides frequently, but even with these settings set up the tunnel goes down / times out with no explanation.

I lean towards blaming the remote office’s ISP because they moved cities a few years ago, and at the old city the connection was solid and never needed to be reset. Since moving to this new office location there has been this recurring problem. There is only one broadband provider available in the remote office’s area.

Any suggestions?

Chris

cwensink · 21 June 2021 13:33

Same issue came up again this week, my only solution is to restart the IPFire router on the remote site. Has anyone experienced any issues like this?

alain · 21 June 2021 17:11

Can you try and see if a OpenVPN Site-to-Site connection is more stable? I use this and I’ve had almost no interruption for years! And I think from a security perspective, you can select very strong encryption etc. so it can be considered safe.

cwensink · 21 June 2021 17:30

I can try it, are point-to-point connections with OpenVPN considered to be safer than IPsec, or does it just depend on the encryption standards you use?

Chris

alain · 21 June 2021 18:27

IPSec vs. OpenVPN: Understanding the Differences - PureVPN Blog looks like OpenVPN is at least as safe as IPSEC. And it seems to be very stable, which in your case, might be an advantage. IPFire has OpenVPN built-in so I can only recommend you give it a try. From my experience it works great for site-to-site and roadwarriors too.

jjdoran · 6 December 2021 11:06

There is the answer to your question.
What public ip address is the non responsive firewall using. Has it changed?
Do you have anything in front of the firewall ie a router/gateway that could be blocking the UDP traffic, perhaps a protection rule on a router?

BR
Joe.