Member
Posts: 148
Registered: ‎11-12-2013
Kudos: 12
Solutions: 6

IPSEC tunnel - disconnected after some time

Hi

I have a problem with my IPSEC tunnel which is from time to time disconnected. It is not a problem but once the connection is dropped to have to restart a router to be reconnected.

I have a script which does the work:

#!/bin/vbash

logfile=/root/spr-status-vpn.log
flagfile=/root/vpn_down_flag

export run=/opt/vyatta/bin/vyatta-op-cmd-wrapper

if [[ `/opt/vyatta/bin/vyatta-op-cmd-wrapper show vpn ipsec sa|grep all|awk '{print $2}'|uniq` == "down" ]] ; then {
  if [[ ! -f $flagfile ]] ; then {
    echo `date '+%Y.%m.%d__%H:%M:%S'` vpn down - Im creating $flagfile >> $logfile
    touch $flagfile
    }
  else {
    echo `date '+%Y.%m.%d__%H:%M:%S'` flag is set so I will bounce the router >> $logfile
    rm $flagfile
    $run reboot now
    }
  fi
  }
else {
  echo `date '+%Y.%m.%d__%H:%M:%S'` vpn up >> $logfile
  rm $flagfile 2>/dev/null
  }
fi

I have two questions:

1. how to restart vpn without restarting a router?

2. is there a feature which allows a vpn tunnel to be reconnected automatically?

Regards

Paul

 

Veteran Member
Posts: 4,137
Registered: ‎05-15-2014
Kudos: 1563
Solutions: 283

Re: IPSEC tunnel - disconnected after some time

1. how to restart vpn without restarting a router?

 

sudo ipsec restart


2. is there a feature which allows a vpn tunnel to be reconnected automatically?

 

Any packet destined for the other side of the tunnel will "wake up" the tunnel. Just ping anything on remote side and the tunnel should come up automatically in a few seconds.

Member
Posts: 148
Registered: ‎11-12-2013
Kudos: 12
Solutions: 6

Re: IPSEC tunnel - disconnected after some time

Thank you for VERY quick response.

Restart of VPN works like charm.

The second part (automatically re-establishing of VPN connection) doesn't work. I have remote destktop client which is on the other side of the tunnel - when VPN is down there is no way that the client can connect. Shall I try something else or is there any trick which I can automatically re-establish the connection?

Regards
Paul

Highlighted
Veteran Member
Posts: 4,137
Registered: ‎05-15-2014
Kudos: 1563
Solutions: 283

Re: IPSEC tunnel - disconnected after some time

You have most likely something misconfigured ... i.e. missing firewall port open for the VPN handshake. ...post your config.

 

What's on the other side of the tunne? You've said client ... provide more details pls. What OS, what VPN client, what IP range? Is this pure IPsec or L2TP over IPsec?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3142
Solutions: 945
Contributions: 16

Re: IPSEC tunnel - disconnected after some time

There is also the command "clear vpn ipsec-peer x.x.x.x".

You might try configuring dpd (dead-peer-detection).

EdgeMAX Router Software Development
Member
Posts: 148
Registered: ‎11-12-2013
Kudos: 12
Solutions: 6

Re: IPSEC tunnel - disconnected after some time

Hi

my config is available here:

https://dl.dropboxusercontent.com/u/91550916/_no_synchro/config.txt

The problem is that once the IPsec is disconnected I need to do "ipsec restart" - it is not restarted automatically...

Could you kindly review my configuraiton, please?

Thank you in advance

Paul

Veteran Member
Posts: 4,137
Registered: ‎05-15-2014
Kudos: 1563
Solutions: 283

Re: IPSEC tunnel - disconnected after some time

Member
Posts: 148
Registered: ‎11-12-2013
Kudos: 12
Solutions: 6

Re: IPSEC tunnel - disconnected after some time

yeah - sorry for that - I've posted config from the other router

here is the proper config:

https://dl.dropboxusercontent.com/u/91550916/_no_synchro/configR.txt

Paul

Veteran Member
Posts: 4,137
Registered: ‎05-15-2014
Kudos: 1563
Solutions: 283

Re: IPSEC tunnel - disconnected after some time

[ Edited ]

Try adding this

set vpn ipsec auto-firewall-nat-exclude enable

 Should help with the automatic reconnect

Member
Posts: 148
Registered: ‎11-12-2013
Kudos: 12
Solutions: 6

Re: IPSEC tunnel - disconnected after some time

Hi

it doesn't work on firmware 1.4.1:

set vpn ipsec auto-firewall-nat-exclude enable
The specified configuration node is not valid
Set failed
[edit]

I was trying to upgrade to 1.5 but there is apparently a bug with DHCP server and I had to revert to 1.4.1... Is there anything I can do on 1.4.1 to fix my VPN problem?

Regards

Paul