I have just setup a TRB500 with an IPsec tunnel to my other firewall (it is a pfSense). The TRB acts as initiator (since it does not have a public IP through the mobile operator but a NATted one) and pfSense at the other act as a responder. It is OK, when I turn the service on, the connection is established in a second, ping, access to the other network works as expected.
However, when I reboot the TRB500, the tunnel won’t come up automatically (even though I have a device that continuously ping the other network behind the TRB500) and the log has only one line in it saying that it can not resolve the peer IP address. It is fine, as most probably to bring up the LTE connection takes some time, while the IPsec daemon starts and tries to connect to the other end. Unfortunately, the only way to establish the IPsec then is to disable it first on the TRB500 website and enable it again. After that, the tunnel works. As far as I can see, the IPsec daemon won’t retry to bring up the connection automatically.
Is there a workaround to this? Like delaying the start of the IPsec daemon with a fixed amount of time (e.g. 1 minute) or to make it conditional in a way that the IPsec daemon start only when the LTE is ready?
Thanks in advance.
Karoly
PS. forgot to mention that TRB500 runs the latest firmware: TRB500_R_00.07.11.3
Thank you for providing the detailed description of the issue. Here are a few things that might be helpful solving your issue:
IPsec Configuration Adjustment
You can try adding the following two lines to the IPsec configuration file to make the daemon automatically retry the connection:
dpdaction = restart
dpddelay = 30s
To edit the configuration file, run:
vi /etc/config/ipsec
Press “i” to enter editing mode.
Add the lines above to the file.
Press Esc, type :wq, and hit Enter to save and quit. Then restart the IPsec service:
/etc/init.d/swanctl restart
Custom Startup Script
A more advanced solution would be to add a custom startup script (System → Maintenance → Custom Scripts) that delays the restart of the IPsec service until the LTE connection is ready. Here’s an example script:
#!/bin/sh
sleep 60
if ifstatus mob1s1a1 | grep -q '"up": true'; then
/etc/init.d/swanctl restart
fi
This script will wait for 60 seconds (you can adjust this) after reboot before checking if the mobile connection is up, and then restart the IPsec service.
Let me know how it goes or if you need further assistance.
Thank you very much for your response! I ended up with the Custom Startup Script option, by simply letting it sleep for 5 minutes, then restarting swanctl daemon unconditionally. The longer delay is necessary because I have a DDNS setup with afraid.org, and this time appears sufficient for the DDNS to update at startup. This ensures that the other end (which requires a mandatory Remote Gateway setting) can resolve the updated DDNS host before the TRB500 initiates the tunnel.
First I tried to enable Dead Peer Detection on the web UI, but that didn’t help – I’m just guessing that a possible reason for that is because at TRB boot the link is considered as “never up before” and not something that went down sometime after a first successful connection, i.e. there is nobody to address an RU_THERE packet.