Hotbrick VPN800/2 is not based on pfsense. -----Original Message----- From: Vaughn L. Reid III [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 2 de julho de 2007 08:55 To: support@pfsense.com Subject: Re: [pfSense Support] VPN tunnel connects properly, but it frequently drops
I have a pfsense box with the June 30th snapshot, and have it connected to two Linksys RV016's, two Linksys RV082's, and two Hotbrick 800/2. The pfsense box has two adsl connections with static IP's for WAN connectivity, and the remote sites also have adsl connections. Both brands of units are running the most recent firmware posted on their vendor's web site as of June 29, 2007. I was consistently, having trouble with the VPN tunnels dropping after prolonged periods of inactivity. The remote endpoints had to actively look for items on the LAN behind the pfsense box to get the connection to re-establish. Sometimes, for example, if the WAN disconnected for some reason, the VPN's tunnels would not get re-built without rebooting the Linksys or Hotbrick router. Anyway, I contacted Hotbrick's tech support, and asked them for advice since they sell a couple other products that look to be customized and branded versions of pfsense. They sent me a link to one of their help documents here: http://www.hotbrick.com/support_detail.asp?tipo=4 Basically, the documents suggest the following settings for VPN's between Hotbrick products: IPSEC Phase 1: Negotiation: Main Encryption: 3DES Hash: SHA1 DH Key: 2 (1024 Bit) Lifetime: 28800 Authentication: Pre-Shared Key IPSEC Phase 2: Protocol: ESP Encryption: Make Sure 3DES only is checked Hash: SHA1 Perfect Forward Secrecy: 2 (1024 Bit) Lifetime: 28800 So, I have tried these settings on my remote endpoint Hotbrick's and Linksys's and have experienced much more stable VPN connections. I have also noticed that the VPN connection doesn't have to be re-established by the remote endpoint after long periods of inactivity, and I have noticed that the tunnels seem to rebuild correctly after a WAN link goes down and then comes back up. Also, on the Linksys devices I have dead peer detection turned off, but have keep-alive turned on. On the pfsense box, I have the IP address listed to ping as an IP on the remote subnet that is not assigned to any host. I found that on the Hotbrick and the Linksys units that long term pinging of the remote LAN gateway (i.e. pinging the LAN IP of the linksys or hotbrick unit) caused the device to actively start blocking the connection from the pfsense box. -Vaughn Reid III David Strout wrote: > I have had the same experience w/ the RV016 and > pfSense. What is the exact version on the linksys > side (have you upgraded the firmware to the > current?), and what build of 1.0.1 pfSense are you > running? I'd move the the current 1.2-BETA SNAP > and upgrade your Linksys to the current 2.0.17. > > I personally have had very little luck in > conecting linksys to anything but linksys for VPN > connectivity. I have gotten it to work in the lab > and maintain it's stability but under a high load > situation it becomes very unstable and drops quite > often. > > > >> Hi, >> >> >> >> I have PFSense 1.0.1 version configured with >> > open VPN on one site and Dual > >> wan router (Linksys RV016) configured on the >> > other site. VPN connection > >> works fine. However, even though both the >> > routers are configured to be on a > >> Keep Alive status in reference to the VPN >> > connectivity, still the VPN > >> connection drops consistently. Please let me >> > know for any further details > >> you want from me to resolve this issue. Any >> > help from your side would > >> really be appreciated. >> >> >> >> Thanks & Regards, >> >> >> >> Vidit Gupta >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
