07-17-2014 04:37 AM
I'm using a RV082 (v4.2.3.03 ) in a branch office to establish a VPN tunnel to our main office firewall (pfsense 2.1.4).
As long as I'm using a single WAN connection on the RV082, everything runs fine. When I add a second WAN in "Smart Link Backup" mode, the VPN connection "hangs" (shows "connected" but IP traffic fails) after almost each WAN reconnect (our ISP reconnects every 24h).
WAN Setup:
WAN1 PPPoE with Keep Alive redial: 30s. Auto MTU.
WAN2 PPPoE with Keep Alive redial: 30s. Auto MTU
WAN2 gets the same IP address if WAN1 goes down.
Dual WAN Setup:
Smart Link Backup: WAN1 primary
Fallback after: 30s
WAN1/WAN2 Sercice Detection: Retries: 5, Timeout: 60s, Failover: Keep log and remove connection
VPN Setup:
Tunnel Interface: WAN1
Security Type: "IP only"
IKE-PSK, Group2, AES-256, SHA1
Phas1: 28800s
Phase2: 3600s
main mode
Kee-Alive on
DPD: 10s
Tunnel Backup: Interface WAN2, same remote IP, Idle Time 60s
Logs:
After a WAN reconnect I get following log entries in the RV082:
Jul 17 06:49:17 2014 System Log [pppoe] Connecting PPPoE socket: 88:43:e1:e5:be:41 3dcd eth2
Jul 17 06:49:17 2014 System Log [pppoe] Got connection: 3dcd
Jul 17 06:49:19 2014 VPN Log packet from [Remote IP]:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
Jul 17 06:49:55 2014 Kernel last message repeated 2 times
and the pfsense:
racoon: [SITE]: [Remote IP] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP [Remote IP][0]->[Local IP][0]
racoon: ERROR: phase1 negotiation failed due to time up. f5e56cfa623a88f0:0000000000000000
racoon: [SITE]: [Remote IP] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
racoon: INFO: delete phase 2 handler.
racoon: [SITE]: [Remote IP] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP [Remote IP][0]->[Local IP][0]
racoon: INFO: begin Identity Protection mode.
This repeats until I open and save the VPN settings on the RV082. Thereafter the VPN is up again:
Jul 17 09:03:25 2014 System Log [pppoe] Connecting PPPoE socket: 88:43:e1:e5:be:41 5b40 eth2
Jul 17 09:03:25 2014 System Log [pppoe] Got connection: 5b40
Jul 17 09:03:30 2014 VPN Log packet from [Remote IP]:500: [Tunnel Authorize Fail] no connection has been authorized with policy=PSK
Jul 17 09:03:36 2014 VPN Log (g2gips0) #5: [Tunnel Established] ISAKMP SA established
Jul 17 09:03:36 2014 System Log gateway_to_gateway.htm is changed.
Jul 17 09:03:37 2014 VPN Log (g2gips0) #6: [Tunnel Established] sent QI2, IPsec SA established {ESP=>0x0ddb99e0 <0x9095ae0c}
Jul 17 09:03:37 2014 VPN Log (g2gips0) #7: [Tunnel Established] IPsec SA established {ESP=>0x01128af2 <0x8ccce43c}
Jul 17 09:03:40 2014 VPN Log (g2gips0) #8: [Tunnel Established] sent MR3, ISAKMP SA established
Jul 17 09:03:57 2014 System Log network.htm is changed.
Jul 17 09:04:01 2014 System Log DMZ connection is up : 0.0.0.0/255.255.255.0 on eth2
Any ideas how to solve this?
07-19-2014 05:56 PM
My name is Ismael. Iam with Small Business Support Center. Even though this is a limitation on the RV082 i would like to explain why your VPN will never fail over. WAN failover is there and it will work fine, but it different when there's a VPN tunnel established.This is why logs are indicating that phase 2 never sees a phase 1 connection. Phase 1 times out because it's unable to find the correct WAN ip.
When the connection fails from one public ip and establishes another connection with a different public ip the pfsense VPN will not now of the new public. The one way it will know is by having the tunnel backup feature on both ends of the tunnel.
First you need 2 devices on both ends that support VPN failover. The one device i can recall that has this feature is the RV320. With two RV320 on both ends would be able do VPN failover with no issues.
07-20-2014 01:51 AM
Hi Ismael!
In my case the WAN ip doesn't change: I've got a fixed IP that works on both physical DSL lines. So if WAN1 fails, WAN2 will establish the connection with the same IP. Therefore I don't understand why the VPN gets stuck. It should be almost the same as a WAN1 without failover...
02-14-2020 11:21 AM
Hi Ismael,
How do I configure the VPN FailOver using 2 CISCO RV320?
I have 2 links in 2 sites.
One VPN is Ok. But the failover do not work.
Should I configure the Remote IP address on FailOver?
If you have a manual to do this configuration, please, send the link to me.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide