I have set up a site-to-site VPN between two offices using IPsec. Most of the time it works, but sometimes it becomes impossible to access one network from the other. Ping and tracert just timeout.
The odd thing is that, in the router's interface, the IPsec SA is still active. I enabled dead peer detection, however this does not seem to have an effect.
Some more details:
- Two routers that are connected via PPPoE, over a fiber modem.
- Both offices are in China. The connections are somewhat restricted (dynamic IP, cannot open certain ports, etc.). However great firewall seems not a problem since it is China-internal.
- It worked fine until one of the offices moved. The setup is exactly the same at the new location as far as I can tell. Maybe something different on the ISP side?
- The IPs didn't change. I can reach both routers from outside fine, and people in both offices can reach the internet.
- Using IPsec aggressive mode, but also tried main mode.
- Manually disabling and reconnecting the VPN tunnel fixes it for a few days.
What could cause a IPsec connection to fail silently after some time?
It is difficult to give you specific adivices without any logs. Anyway, you can try the following: