Hello Patrick, > Does your ISP implement authoritative DNS? > Do you suspect a UDP issue? My VPN is configured with IPs, not with domain names. Does DNS and/or UDP matter anyway?
> Is a managed (switch) involved? No, it is not. I do not use any switches in my testing setup. GW1--ISP1_modem--.....--ISP2_modem--GW2 Has duplex ever been an issue? I have never noticed any duplex issue. On Sun, 18 Aug 2019 16:07:14 -0500 Patrick Dohman <dohmanpatr...@gmail.com> wrote: > Does your ISP implement authoritative DNS? > Do you suspect a UDP issue? > Is a managed (switch) involved? Has duplex ever been an issue? > Regards > Patrick > > > On Aug 18, 2019, at 1:03 PM, Radek <r...@int.pl> wrote: > > > > Hello, > > > > I have two testing gateways (6.5/i386) with site-to-side VPN between its > > LANs (OpenIKED). > > Both gws are fully syspatched, have public IPs and the same iked/pf > > configuration. > > > > Unfortunately, the network traffic over the VPN tunnel stalls few times a > > day. > > > > On the one side I use a script to monitor VPN tunnel with ping, it restarts > > iked and emails me if there is no ping over the VPN tunnel. > > Date: Sat, 17 Aug 2019 22:10:30 +0200 (CEST) > > Date: Sun, 18 Aug 2019 06:00:20 +0200 (CEST) > > Date: Sun, 18 Aug 2019 11:09:00 +0200 (CEST) > > Date: Sun, 18 Aug 2019 19:03:02 +0200 (CEST) > > > > > > In 6.3/i386 I have the same problem, but more frequently. > > Date: Sat, 17 Aug 2019 23:03:56 +0200 (CEST) > > Date: Sun, 18 Aug 2019 01:37:50 +0200 (CEST) > > Date: Sun, 18 Aug 2019 04:12:31 +0200 (CEST) > > Date: Sun, 18 Aug 2019 06:46:25 +0200 (CEST) > > Date: Sun, 18 Aug 2019 09:20:22 +0200 (CEST) > > Date: Sun, 18 Aug 2019 11:59:08 +0200 (CEST) > > Date: Sun, 18 Aug 2019 14:34:38 +0200 (CEST) > > Date: Sun, 18 Aug 2019 17:12:57 +0200 (CEST) > > Date: Sun, 18 Aug 2019 19:47:16 +0200 (CEST) > > > > Do I have any bugs/deficiencies in my configs, missed something? > > Is there any way to make it work uninterruptedly? > > I would be very greatful if you could help me with this case. > > > > $cat /etc/hostname.enc0 > > up > > > > $cat /etc/hostname.vr3 > > inet 10.0.17.254 255.255.255.0 NONE description "LAN17" > > group trust > > > > $cat /etc/iked.conf > > local_gw_RAC17 = "10.0.17.254" # lan_RAC > > local_lan_RAC17 = "10.0.17.0/24" > > remote_gw_MON = "1.2.3.5" # fw_MON > > remote_lan_MON = "172.16.1.0/24" > > ikev2 quick active esp \ > > from $local_gw_RAC17 to $remote_gw_MON \ > > from $local_lan_RAC17 to $remote_lan_MON peer $remote_gw_MON \ > > childsa enc chacha20-poly1305 \ > > psk "psk" > > > > $cat /etc/pf.conf > > # RAC-fwTEST > > ext_if = "vr0" > > lan_rac_if = "vr3" # vr3 - > > lan_rac_local = $lan_rac_if:network # 10.0.17.0/24 > > backup_if = "vr2" # vr2 - lewy port > > backup_local = $backup_if:network # 10.0.117/24 > > > > bud = "1.2.3.0/25" > > rdk_wy = "1.2.3.4" > > rdk_mon = "1.2.3.5" > > panac_krz = "1.2.3.6" > > panac_rac = "1.2.3.7" > > > > set fingerprints "/dev/null" > > set skip on { lo, enc0 } > > set block-policy drop > > set optimization normal > > set ruleset-optimization basic > > > > antispoof quick for {lo0, $lan_rac_if, $backup_if } > > > > match out log on $ext_if from { $lan_rac_local, $backup_local } nat-to > > $ext_if set prio (3, 7) > > > > block all > > > > match in all scrub (no-df random-id) > > match out all scrub (no-df random-id) > > pass out on egress keep state > > > > pass from { 10.0.201.0/24, $lan_rac_local, $backup_local } to any set prio > > (3, 7) keep state > > > > ssh_port = "1071" > > table <ssh_trust> const { $bud, $rdk_wy, $rdk_mon, $panac_krz, $panac_rac, > > 10.0.2.0/24, 10.0.15.0/24, 10.0.100.0/24 } > > table <bruteforce> persist counters > > block from <bruteforce> > > pass in log quick inet proto tcp from <ssh_trust> to $ext_if port $ssh_port > > flags S/SA \ > > set prio (7, 7) keep state \ > > (max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> > > flush global) > > > > icmp_types = "{ echoreq, unreach }" > > pass inet proto icmp all icmp-type $icmp_types \ > > set prio (7, 7) keep state > > > > table <vpn_peers> const { $rdk_mon, $panac_rac, $panac_krz } > > pass out quick on egress proto esp from (egress:0) to <vpn_peers> > > set prio (6, 7) keep state > > pass out quick on egress proto udp from (egress:0) to <vpn_peers> port > > {500, 4500} set prio (6, 7) keep state > > pass in quick on egress proto esp from <vpn_peers> to (egress:0) > > set prio (6, 7) keep state > > pass in quick on egress proto udp from <vpn_peers> to (egress:0) port > > {500, 4500} set prio (6, 7) keep state > > pass out quick on trust received-on enc0 set prio (6, 7) keep state > > > > pass in on egress proto udp from any to (egress:0) port > > {isakmp,ipsec-nat-t} set prio (6,7) keep state > > pass in on egress proto {ah,esp} set prio (6,7) keep state > > > > # By default, do not permit remote connections to X11 > > block return in on ! lo0 proto tcp to port 6000:6010 > > > > $cat iked_monitor.sh > > #!/bin/sh > > while true > > do > > vpn=`ping -c 3 -w 1 -I 10.0.17.254 172.16.1.254 | grep packets | awk -F " " > > '{print $4}'` > > > > if [ "${vpn}" -eq 0 ] ; then > > mon=`ping -c 3 -w 1 the_other_side_WAN_IP | grep packets | awk -F " " > > '{print $4}'` > > wan=`ping -c 3 -w 1 8.8.8.8 | grep packets | awk -F " " '{print $4}'` > > > > if [ "${mon}" -gt 0 ] && [ "${wan}" -gt 0 ] ; then > > echo vpn: ${vpn}, mon: ${mon}, wan: ${wan} | mail -s "no ping > > through VPN RACTEST-MON! restartng iked!" em...@example.com > > rcctl restart iked > > fi > > fi > > sleep 32 > > done > > > > > > -- > > Radek > > > -- Radek