We have tens of IPSec connections between our office and customer sites. At the office we use pfSense V2.4.5 as VPN gateway and placing Ubiquiti Edgerouter X devices with the latest firmware on the customer sites to establish the connection with. The Edgerouter X always establishes the connection as we not always have the possibility to forward ports on the customer network(s). It does this by pinging a internal ip on our office site once every minute.
In general the connections are stable and everything is working fine and like expected, though some times a connection is lost "randomly" and doensn't come back. I can see in pfSense (System logs / IPsec) that the Edgerouter tries to connect to pfSense.
pfSense log:
I don't understand what happens here as this specific connection worked fine and stable for months. Nothing has changed to the config, neither on the Edgerouter X nor in pfSense Also no firmware updates are installed or reboots happened.
What we tried to fix the connection:
- Restart Ubitquiti Edgerouter via UNMS (centralized management tool)
- Hard restart by unplug the power and reconnect it
- Deleting the IPSec settings on the Edgerouter and re-configure IPsec on the edgerouter followed by a reboot as it still didn't work.
- Reconfiguring the IPSec connection in pfSense (No reboot yet as this will pull down our whole network.
For now we have around 3 "broken" connections of the 30-35 connections. Whats the cause and how can i solve this? We need reliable VPN connections and if they are disconnected for really short period that they at least need to reconnect automatically!
Ubiquiti Edgerouter-X config: Offcourse the pfSense config is corresponding with the config bellow as the connection worked.
ipsec {
allow-access-to-local-interface enable
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha256
}
proposal 2 {
encryption aes128
hash sha256
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha256
}
proposal 2 {
dh-group 14
encryption aes128
hash sha256
}
}
site-to-site {
peer ipsec.company.de {
authentication {
id an_id_here
mode pre-shared-secret
pre-shared-secret Some_key_h3r3
}
connection-type initiate
default-esp-group FOO0
description IPSec_connection
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 10.130.3.0/24
}
remote {
prefix 10.128.0.0/16
}
}
}
}
}
screenshot pfSense config:
UPDATE: All our Edgerouters are connected to our UNMS server and by coincidence i restored a backup (made automatically by UNMS) and the IPSec connection worked again. I tried this at 2 different (ER-X) devices with the same IPSec issue and it solved the "broken" IPSec connection issue at bot devices. The strange thing is that I'm 100% sure that no manual changes are made on both devices between the date of the backup and the time the connection broke. This let met think that there is a bug in EdgeOS somewhere??
