Hi there,
We have recently started converting some of our sites onto fibre connection as it becomes available in our areas. So far we have done four separate sites and on all sites (except one initally but I will get to that one) I am experiencing the same issue.
On our normal setups our pfSense boxes are connected to a router that connects out. The router taking one of our public IP addresses and one ethernet card on the pfSense box taking the second (Red interface). We then have two more ethernet cards on the pfSense (one for local LAN, one for untrusted LAN). Now on the pfSense box we have set it to have a phase-1 IPSec tunnel and then three phase-2 tunnels. Those three tunnels being the local LAN, untrusted LAN and then one to allow external contractors to remote into the untrusted LAN.
That's all been fine in the past, however, now when we are on fibre that Red tunnel does not come online. The other two do fine, but just not that one for external support.
This is the same if I use a router or if I plug the pfSense box directly into them modem and let the pfSense make the PPPoE connection.
Any ideas why this might be?
There are no traffic shapers in play, nothing that I can see that would stop it. And if I plug it back into an ADSL connection it then works fine.
The tunnels are using
But I have tried them using AH for the P2 protocol as well, same result.
The one site that was different was one where all three tunnels came straight back up after we switched on the fibre. I compared it side by side with another site that only had 2/3 tunnels up and as far as I could tell they were identical apart from the fact that one of it's redundant IPSec tunnels (were used for failover in the past but are since redundant) that is disabled had SHA1 and MD5 as authentication methods as well as on the receiving end of the IPSec the exchange was set to Automatic. I tried replicating that since on the 2/3 firewall but still the same result. Now, even stranger. After about a week or two of those three tunnels being up it has now only got 2/3 tunnels up itself! Anybody got any suggestions on this strangeness?
Oh and I have tried this on 2.1-RELEASE (i386) as well as 2.0-BETA5 (i386
We have recently started converting some of our sites onto fibre connection as it becomes available in our areas. So far we have done four separate sites and on all sites (except one initally but I will get to that one) I am experiencing the same issue.
On our normal setups our pfSense boxes are connected to a router that connects out. The router taking one of our public IP addresses and one ethernet card on the pfSense box taking the second (Red interface). We then have two more ethernet cards on the pfSense (one for local LAN, one for untrusted LAN). Now on the pfSense box we have set it to have a phase-1 IPSec tunnel and then three phase-2 tunnels. Those three tunnels being the local LAN, untrusted LAN and then one to allow external contractors to remote into the untrusted LAN.
That's all been fine in the past, however, now when we are on fibre that Red tunnel does not come online. The other two do fine, but just not that one for external support.
This is the same if I use a router or if I plug the pfSense box directly into them modem and let the pfSense make the PPPoE connection.
Any ideas why this might be?
There are no traffic shapers in play, nothing that I can see that would stop it. And if I plug it back into an ADSL connection it then works fine.
The tunnels are using
Code:
P2 Protocol P2 Transforms P2 Auth Methods
ESP AES (auto), 3DES SHA1But I have tried them using AH for the P2 protocol as well, same result.
The one site that was different was one where all three tunnels came straight back up after we switched on the fibre. I compared it side by side with another site that only had 2/3 tunnels up and as far as I could tell they were identical apart from the fact that one of it's redundant IPSec tunnels (were used for failover in the past but are since redundant) that is disabled had SHA1 and MD5 as authentication methods as well as on the receiving end of the IPSec the exchange was set to Automatic. I tried replicating that since on the 2/3 firewall but still the same result. Now, even stranger. After about a week or two of those three tunnels being up it has now only got 2/3 tunnels up itself! Anybody got any suggestions on this strangeness?
Oh and I have tried this on 2.1-RELEASE (i386) as well as 2.0-BETA5 (i386
