We've had a pfSense-to-pfSense "always on" IPsec VPN connecting 2 offices since 2008 (pfSense 1.2 IIRC) and it's: - been ultra reliable (if VPN is down, suspect ISP issue or pfSense box failure) - it's been quick to connect (about 1 second, almost unnoticeable) - it's worked across numerous upgrades without issue (nice!)
Beginning with pfSense v2, we added multiple P2s at each end (still same reliability, etc.). One of the offices has had its hardware updated and its pfSense updated to 2.2 then 2.2.1 (after testing to see whether we seemed to be affected by the "multiple P2 issue" noted in the upgrade page -- we're OK on that one). This connection has continued to work with the same characteristics as before. The 2.2.1 system is 64-bit and the other end is v2.1.5 32-bit We recently added a second site-to-site IPsec VPN, essentially the same as the existing one except both sides are pfSense v2.2.1 (but other end is 32-bit) and stronger algorithms are being used and P1 is set to v2 (supposedly avoiding any "multiple P2" issues). The new pfSense (v2.2.1 at both ends) "always on" (not!) IPsec VPN is: - v-e-r-y s-l-o-w to connect: e.g. pinging when connection is down yields: once a connection after 12 seconds, once a connection after 22 seconds and dozens of connections after > 2.25 minutes - completely unable to "stay connected": both sides have DPD enabled (5 sec./3 retries) and both sides can be initiators and both sides have 1 P2 set to ping the pfSense at the other end - pressing the "connect button" on pfSense's IPsec status page yields an "instant connection" but there won't be any P2 traffic coming back for a while, which seems to consistently be the connection-delay issue If one of the ends has regular (almost constant) traffic, the VPN stays connected. In testing, I've had one non-pfSense system pinging the pfSense at the other end and the VPN stays connected. If VPN traffic pauses for a short time (ten minutes?), the connection is dropped. While that is not what's expected, given the config, it wouldn't be bad _if_ the connection was quickly re-established with traffic, but it's not. I'm providing this information because of the discussions about issues with multiple P2s and the idea that they're solved by using v2 P1 at both ends. It's quite possible that: - there are issues with multiple P2s even with v2 P1 - the DPD stuff isn't working - the P2 "automatically ping host" stuff isn't working ... but pinging a host via a non-pfSense system does keep the connection alive I'm willing to run some tests if someone wants to tell me what they want done. For about a week, the new v2.2.1 site-to-site VPN won't really be used, I can do almost anything that doesn't cause the other side to go dead (or I'd need to make a trip to the other site and that may not happen very quickly). _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
