Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 Issues between PF Sense and Cisco 1941

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      AgentPanda89
      last edited by

      Hey everyone!

      I'm new to the forum but I was hoping to possibly find some help here on a weird issue we're having. I'm not a PF Sense expert, but I'll do my best to explain the situation..

      We have a Cisco ISR 1941 at our physical location, let's call this location site A. This connects with an IKEv2 VPN tunnel to our PF Sense (2.3.2), we'll call this site B. Site B is a Colocation.

      Both phase 1 and phase 2 connect fine, LAN traffic passes in both directions. However, according to Cisco TAC there is an IKEv2 issue with connecting to a third party router (PF Sense, in this case). I still have a case open with Cisco TAC troubleshooting that, but wanted to check here to see if there was anything that could be done on the PF Sense to help the situation..

      The PF Sense appears to keep sending phase 1 re-key request to the Cisco, the Cisco 1941 already has the tunnel established so it discards this re-key request but every time it does this, the DH Sessions value increments and maxes out at 1050. Once it hits 1050, which generally takes around 6-8 hours. Once this happens, the VPN tunnel goes down and the router needs to be restarted to clear all of the sessions.

      I know this is an issue with the Cisco. But does anyone know if there's a way to prevent the PF Sense from sending these re-key request?

      Thanks

      1 Reply Last reply Reply Quote 0
      • S Offline
        scet
        last edited by

        Hello,

        On pfSense you find this Option on the tunnelconfig: VPN/IPsec/ Tunnels/Edit Phase 1: ckeck the box "Disable rekey" to Disables renegotiation when a connection is about to expire.

        greez

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.