Reply
Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

IPsec Site-to-Site down after a few minutes

[ Edited ]

Tunnel was up for hours, then for minutes, then down. After reboot, everthing works for hours...

 

ChristianSchmid@ubnt:~$ sudo ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.2.2 IPsec [starter]...

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[2] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 929517613 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed

 

 

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Config:

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer hassloch2.is-very-good.org {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description Hassloch
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.0.0/24
                    }
                    remote {
                        prefix 192.168.60.0/24
                    }
                }
            }
        }
    }
}

 

Other Site

 

vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer wachenheim2.is-very-good.org {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description Wachenheim
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.60.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
        }
    }

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

After reboot ER4 Site 1:

ChristianSchmid@ubnt-h:~$ show vpn ipsec sa
peer-wachenheim2.is-very-good.org-tunnel-1: #3, ESTABLISHED, IKEv1, 2bb657ec81f1715d:f8bde1c4d6fbde9f
  local  '95.89.93.87' @ 95.89.93.87
  remote '95.88.58.182' @ 95.88.58.182
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 37s ago, reauth in 27927s
  peer-wachenheim2.is-very-good.org-tunnel-1: #3, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 37 ago, rekeying in 2865s, expires in 3568s
    in  cc212150,  10036 bytes,    82 packets,    10s ago
    out ca1264fe,  30090 bytes,   105 packets,     7s ago
    local  192.168.60.0/24
    remote 192.168.0.0/24

Senior Member
Posts: 5,691
Registered: ‎01-04-2017
Kudos: 794
Solutions: 285

Re: IPsec Site-to-Site down after a few minutes

Version? "show version"
Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

[ Edited ]

ChristianSchmid@ubnt:~$ show version
Version:      v1.10.7
Build ID:     5127989
Build on:     10/01/18 12:28
Copyright:    2012-2018 Ubiquiti Networks, Inc.
HW model:     EdgeRouter 4
HW S/N:       FCECDA4427F1
Uptime:       17:22:37 up  7:26,  1 user,  load average: 0.01, 0.04, 0.05

 

Other Site

ChristianSchmid@ubnt-h:~$ show version
Version:      v1.10.7
Build ID:     5127989
Build on:     10/01/18 12:28
Copyright:    2012-2018 Ubiquiti Networks, Inc.
HW model:     EdgeRouter 4
HW S/N:       FCECDA469A05
Uptime:       17:27:37 up 36 min,  1 user,  load average: 0.03, 0.05, 0.05
C

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Here is my config, eth0 is VDSL Router, eth1 Cablemodem Bridged, eth2 LAN

 

Site 1

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom FB"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.0.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description FTP
        forward-to {
            address 192.168.0.3
            port 21
        }
        original-port 21
        protocol tcp
    }
    rule 2 {
        description "FTP Passive"
        forward-to {
            address 192.168.0.3
            port 50000-51000
        }
        original-port 50000-51000
        protocol tcp
    }
    wan-interface eth1
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                lease 86400
                start 192.168.0.38 {
                    stop 192.168.0.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name wachenheim2.is-very-good.org
                    login fiftys333
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer hassloch2.is-very-good.org {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description Hassloch
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.0.0/24
                    }
                    remote {
                        prefix 192.168.60.0/24
                    }
                }
            }
        }
    }
}

Site 2

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            destination {
                address 217.91.144.122/32
            }
            modify {
                lb-group A
            }
        }
        rule 50 {
            action modify
            destination {
                address 95.0.0.0/8
            }
            modify {
                lb-group B
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Allow Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol icmp
        }
        rule 30 {
            action accept
            description PPTP
            destination {
                port 1723
            }
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom Gate"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.60.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group A {
        interface eth0 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group B {
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description "HTTPS Server"
        forward-to {
            address 192.168.60.4
            port 443
        }
        original-port 443
        protocol tcp
    }
    wan-interface eth0
}
service {
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name hassloch2.is-very-good.org
                    login fiftys333
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt-h
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer wachenheim2.is-very-good.org {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description Wachenheim
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.60.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
        }
    }
    pptp {
        remote-access {
            authentication {
                local-users {
                    username schmid {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.60.240
                stop 192.168.60.244
            }
            dhcp-interface eth1
            dns-servers {
                server-1 192.168.60.1
                server-2 8.8.8.8
            }
            mtu 1492
        }
    }
}

Established Member
Posts: 2,062
Registered: ‎04-21-2015
Kudos: 278
Solutions: 92

Re: IPsec Site-to-Site down after a few minutes

Hey,

 

Can you provide the following when the tunnel is down:

sudo swanctl --log  - output from both routers

tcpdump from WAN interface when the tunnel is down from both routers

 

P.S

config better to post using the command below:

show configuration commands

Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Senior Member
Posts: 5,691
Registered: ‎01-04-2017
Kudos: 794
Solutions: 285

Re: IPsec Site-to-Site down after a few minutes

[ Edited ]

@Myky wrote:

 

P.S

config better to post using the command below:

show configuration commands


The config is posted exactly how it should be,  Please don't push your personal preference that goes against what is commonly accepted. **EDITED OUT THE PASSIVE AGGRESSIVE COMMENT THAT FOLLOWED**

Senior Member
Posts: 5,691
Registered: ‎01-04-2017
Kudos: 794
Solutions: 285

Re: IPsec Site-to-Site down after a few minutes


@ChristianSchmid wrote:

Here is my config, eth0 is VDSL Router, eth1 Cablemodem Bridged, eth2 LAN

 

Site 1

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol icmp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom FB"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.0.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description FTP
        forward-to {
            address 192.168.0.3
            port 21
        }
        original-port 21
        protocol tcp
    }
    rule 2 {
        description "FTP Passive"
        forward-to {
            address 192.168.0.3
            port 50000-51000
        }
        original-port 50000-51000
        protocol tcp
    }
    wan-interface eth1
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.0.0/24 {
                default-router 192.168.0.1
                dns-server 192.168.0.1
                lease 86400
                start 192.168.0.38 {
                    stop 192.168.0.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name wachenheim2.is-very-good.org
                    login fiftys333
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer hassloch2.is-very-good.org {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description Hassloch
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.0.0/24
                    }
                    remote {
                        prefix 192.168.60.0/24
                    }
                }
            }
        }
    }
}

Site 2

Spoiler
firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group PRIVATE_NETS {
            network 192.168.0.0/16
            network 172.16.0.0/12
            network 10.0.0.0/8
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians disable
    modify balance {
        rule 10 {
            action modify
            description "do NOT load balance lan to lan"
            destination {
                group {
                    network-group PRIVATE_NETS
                }
            }
            modify {
                table main
            }
        }
        rule 20 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth0
                }
            }
            modify {
                table main
            }
        }
        rule 30 {
            action modify
            description "do NOT load balance destination public address"
            destination {
                group {
                    address-group ADDRv4_eth1
                }
            }
            modify {
                table main
            }
        }
        rule 40 {
            action modify
            destination {
                address 217.91.144.122/32
            }
            modify {
                lb-group A
            }
        }
        rule 50 {
            action modify
            destination {
                address 95.0.0.0/8
            }
            modify {
                lb-group B
            }
        }
        rule 110 {
            action modify
            modify {
                lb-group G
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 21 {
            action accept
            description "Allow Ping eth0"
            destination {
                group {
                    address-group NETv4_eth0
                }
            }
            log disable
            protocol icmp
        }
        rule 22 {
            action accept
            description "Allow Ping eth1"
            destination {
                group {
                    address-group NETv4_eth1
                }
            }
            log disable
            protocol icmp
        }
        rule 30 {
            action accept
            description PPTP
            destination {
                port 1723
            }
            protocol tcp
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description "Telekom Gate"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address dhcp
        description "Kabel D"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address 192.168.60.1/24
        description LAN
        duplex auto
        firewall {
            in {
                modify balance
            }
        }
        speed auto
    }
    ethernet eth3 {
        disable
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
load-balance {
    group A {
        interface eth0 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group B {
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
    group G {
        interface eth0 {
        }
        interface eth1 {
        }
        lb-local enable
        lb-local-metric-change disable
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth2
    rule 1 {
        description "HTTPS Server"
        forward-to {
            address 192.168.60.4
            port 443
        }
        original-port 443
        protocol tcp
    }
    wan-interface eth0
}
service {
    dns {
        dynamic {
            interface eth1 {
                service dyndns {
                    host-name hassloch2.is-very-good.org
                    login fiftys333
                    password ****************
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth2
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5000 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
        rule 5002 {
            description "masquerade for WAN 2"
            outbound-interface eth1
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        disable
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name ubnt-h
    login {
        user ChristianSchmid {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        hwnat disable
        ipsec enable
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        auto-firewall-nat-exclude enable
        esp-group FOO0 {
            compression disable
            lifetime 3600
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes128
                hash sha1
            }
        }
        ike-group FOO0 {
            dead-peer-detection {
                action restart
                interval 30
                timeout 120
            }
            ikev2-reauth no
            key-exchange ikev1
            lifetime 28800
            proposal 1 {
                dh-group 14
                encryption aes128
                hash sha1
            }
        }
        ipsec-interfaces {
            interface eth1
        }
        site-to-site {
            peer wachenheim2.is-very-good.org {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                description Wachenheim
                dhcp-interface eth1
                ike-group FOO0
                ikev2-reauth inherit
                tunnel 1 {
                    allow-nat-networks disable
                    allow-public-networks disable
                    esp-group FOO0
                    local {
                        prefix 192.168.60.0/24
                    }
                    remote {
                        prefix 192.168.0.0/24
                    }
                }
            }
        }
    }
    pptp {
        remote-access {
            authentication {
                local-users {
                    username schmid {
                        password ****************
                    }
                }
                mode local
            }
            client-ip-pool {
                start 192.168.60.240
                stop 192.168.60.244
            }
            dhcp-interface eth1
            dns-servers {
                server-1 192.168.60.1
                server-2 8.8.8.8
            }
            mtu 1492
        }
    }
}


This is going to be a load-balancing issue.  Remember IPSEC is ran off the MAIN route table.  you'll need to set a heavier weight on your 2nd WAN so it doesn't "load-balance" the ipsec due to equal weights.

Also disable 

lb-local
Established Member
Posts: 2,062
Registered: ‎04-21-2015
Kudos: 278
Solutions: 92

Re: IPsec Site-to-Site down after a few minutes

It's just easy to read. I didn't advice anything wrong so you better be friendly
Thanks,
Myky
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

[ Edited ]

I recognized from ipsec sa, that the balance is the problem, the remote IP 217... is the wrong eth0 interface.

 

set vpn ipsec ipsec-interfaces interface eth1 does not work?

 

peer-hassloch2.is-very-good.org-tunnel-1: #11, ESTABLISHED, IKEv1, 2bb657ec81f1715d:f8bde1c4d6fbde9f
  local  '95.88.58.182' @ 95.88.58.182
  remote '95.89.93.87' @ 217.91.144.122
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 12003s ago, reauth in 15813s
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 1647 ago, rekeying in 1147s, expires in 1954s
    in  c302ff6d,  33834 bytes,   687 packets,     3s ago
    out ce52ff30,  35810 bytes,   691 packets,     3s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24

 

@smyers119Could you please give me the neccesary CLI Commands?

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

What does NO_PROPOSAL_CHOSEN mean here???

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[7] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 951353340 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Update, please help me:

 

ChristianSchmid@ubnt:~$ sudo ipsec restart
Stopping strongSwan IPsec...

Starting strongSwan 5.2.2 IPsec [starter]...

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[3] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 3721514596 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
generating QUICK_MODE request 1387068722 [ HASH SA No KE ID ID ]
sending packet: from 95.88.58.182[4500] to 95.89.93.87[4500] (444 bytes)
received packet: from 95.89.93.87[4500] to 95.88.58.182[4500] (444 bytes)
parsed QUICK_MODE response 1387068722 [ HASH SA No KE ID ID ]
received netlink error: Network is unreachable (128)
unable to install source route for 192.168.0.1
CHILD_SA peer-hassloch2.is-very-good.org-tunnel-1{1} established with SPIs c7190a63_i c3c3f9de_o and TS 192.168.0.0/24 === 192.168.60.0/24
connection 'peer-hassloch2.is-very-good.org-tunnel-1' established successfully
ChristianSchmid@ubnt:~$ show vpn ipsec status
IPSec Process Running PID: 3292

1 Active IPsec Tunnels

IPsec Interfaces :
        eth1    (95.88.58.182)
ChristianSchmid@ubnt:~$ show vpn ipsec sa
peer-hassloch2.is-very-good.org-tunnel-1: #2, ESTABLISHED, IKEv1, 63932847b0eb4cd0:2a72347c2b54cb40
  local  '95.88.58.182' @ 95.88.58.182
  remote '95.89.93.87' @ 95.89.93.87
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 21s ago, reauth in 27749s
  peer-hassloch2.is-very-good.org-tunnel-1: #1, REKEYING, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 18 ago, rekeying in 2764s, expires in 3583s
    in  c7190a63,   1128 bytes,     6 packets,     4s ago
    out c3c3f9de,   1083 bytes,     7 packets,     4s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 16 ago, rekeying in 2643s, expires in 3584s
    in  c9783207,    236 bytes,     5 packets,     4s ago
    out c23edf2c,    236 bytes,     5 packets,     4s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24

Senior Member
Posts: 5,691
Registered: ‎01-04-2017
Kudos: 794
Solutions: 285

Re: IPsec Site-to-Site down after a few minutes

What is the primary WAN that your using vpn from?( on each router)
Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

eth0 is a VDSL-Router from ISP wiith VOIP and NAT, ER4 is exposed Host, eth1 is a Cabelmodem (bridged, no NAT) and eth2 is LAN. This config is identical on both sites. The VPN should run on eth1, because eth0 has over the ISP-Router a fixed IP and is used for Exchange etc.

 

The ISP IP startimg with 217., the Cable IP sartimg with 95.

 

I hoped that set vpn ipsec ipsec-interfaces interface eth1 tells the StrongSwan not to use eth0, but when i trigger the vpn with for example sudo ipsec up peer-wachenheim2.is-very-good.org-tunnel-1 i see sometimes these cross-situation:

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
generating QUICK_MODE request 988275052 [ HASH SA No KE ID ID ]
sending packet: from 95.88.58.182[4500] to 217.91.144.122[35055] (444 bytes)
received packet: from 217.91.144.122[35055] to 95.88.58.182[4500] (444 bytes)
parsed QUICK_MODE response 988275052 [ HASH SA No KE ID ID ]
CHILD_SA peer-hassloch2.is-very-good.org-tunnel-1{1} established with SPIs c3d55194_i c994c345_o and TS 192.168.0.0/24 === 192.168.60.0/24
connection 'peer-hassloch2.is-very-good.org-tunnel-1' established successfully

 

 

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Please help me, i've rebooted both ER4 and have nothing changed in the config.

 

No packets increasing, the peer is not working!!!!!!

 

ChristianSchmid@ubnt:~$ show vpn ipsec sa
peer-hassloch2.is-very-good.org-tunnel-1: #3, ESTABLISHED, IKEv1, c9fde7eb2f92884a:f275a1537d5b4085
  local  '95.88.58.182' @ 95.88.58.182
  remote '95.89.93.87' @ 95.89.93.87
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 542s ago, reauth in 27448s
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 542 ago, rekeying in 2181s, expires in 3059s
    in  c174c1d3,    120 bytes,     3 packets,    25s ago
    out c2ef210c,  11557 bytes,    71 packets,   446s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 494 ago, rekeying in 2240s, expires in 3107s
    in  cb04bcf5,  12505 bytes,    44 packets,    25s ago
    out ca1d0411,  11168 bytes,    88 packets,   446s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24
  peer-hassloch2.is-very-good.org-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 449 ago, rekeying in 2273s, expires in 3152s
    in  cefadb22,  18330 bytes,   195 packets,     6s ago
    out c646f5a5,  13502 bytes,   217 packets,     6s ago
    local  192.168.0.0/24
    remote 192.168.60.0/24

Senior Member
Posts: 5,691
Registered: ‎01-04-2017
Kudos: 794
Solutions: 285

Re: IPsec Site-to-Site down after a few minutes

configure
set interfaces ethernet eth1 dhcp-options default-route-distance 100
commit
save
exit
Ubiquiti Employee
Posts: 2,283
Registered: ‎05-08-2017
Kudos: 415
Solutions: 341

Re: IPsec Site-to-Site down after a few minutes

Hi @ChristianSchmid,

 

What does the routing table look like when the problem occurs? The command is:

show ip route

 

Can you try lowering the distance of the DHCP received default gateway on the eth1 interface on both routers? For example:

configure
set interfaces ethernet eth1 dhcp-options default-route-distance 1
commit ; save

 

Ben


Ben Pin - EdgeMAX Support

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

After

set interfaces ethernet eth1 dhcp-options default-route-distance 100

and reboot the tunnel is up!

Emerging Member
Posts: 65
Registered: ‎10-25-2017
Kudos: 1

Re: IPsec Site-to-Site down after a few minutes

Tunnel is down, and what is this?

 

ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[2] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 687918632 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed
ChristianSchmid@ubnt:~$ sudo ipsec up peer-hassloch2.is-very-good.org-tunnel-1
initiating Main Mode IKE_SA peer-hassloch2.is-very-good.org-tunnel-1[3] to 95.89.93.87
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 95.88.58.182[500] to 95.89.93.87[500] (156 bytes)
received packet: from 95.89.93.87[500] to 95.88.58.182[500] (40 bytes)
parsed INFORMATIONAL_V1 request 2160080966 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'peer-hassloch2.is-very-good.org-tunnel-1' failed

Reply