I have a ipsec vpn with a foreign company, this connects my network with their network and they have a different ip subnet. Ipsec is made by a pfsense gateway/firewall.
I'm sure it is well configured, all ipsec params are set and the tunnel looks established.
However foreign colegues cannot connect to my machines, but I have a clue!
If I run a ping from my pfsense ipsec interface to foreign ip address magically it starts working and they can connect!!
If they need to connect again after few hours I have to ping them again and so on…. And it works only with ping from ipsec interface.
For me is strange to solve a network problem with a ping. What can be the cause? Where should I focus my search?
Best Answer
I have seen this behavior before where the VPN tunnel will only stay up when a ping is done from one end of the VPN tunnel to the other. There could be a few reasons for this. First I would check the SA lifetime on both ends of the tunnel. If there is a mismatch in either seconds or bytes for the lifetime then the VPN appliance (in your case the pfsense gateway/fiewall) with the higher SA lifetime will be able to start the VPN tunnel but it would not work the other way meaning if they tried pining you and they had a lower SA lifetime it would not be able to negotiate up to a higher SA lifetime and no VPN tunnel would start for phase 1 or phase 2. Second I would also check firewall settings on both ends as I have seen very odd firewall configurations in the past that have also caused similar behavior, but without being able to see your topology I am not sure if that is your problem.