23.01 Keep Alive - Where is it
-
@tedquade I am trying, as suggested in another Netgate post, is to change the Key Lifetimes to 12 hours in the Advanced firewall settings and to match the Security Methods on the client side. 12 hours would work for me. Everything points to a Windows Client rekeying issue. If this doesn't work, I will try another VPN Client which I wanted to avoid because it means I will have to add software to every user. Let you know how it turns out in 9 hours
-
@dalicollins " ...... I wanted to avoid because it means I will have to add software to every user"
That's the reason I never went down that road and besides, you now have to maintain it.
Good Luck!
Ted Quade
-
@tedquade Changing the client settings had no effect. My next test is to change the pfSense IPsec settings. Lifetime to 43200 and Child SA Close Action to default. I am happy if I can get 12 hours instead of 8.
-
@dalicollins I have come to the conclusion that the disconnect issue is a result of an Algorithm mismatch during the Windows rekeying process. When the client does a connect they are using the algorithms set forth in the Client setup, but when a rekey happens, it is the proposals that raspman delivers. This explains why this issue does not occur when using Windows server VPN because the proposals will always match. I am going on the hunt for what those algorithms are and adding them to phase 1 in pfsense. Also explains why some do not have this issue. They use matching algorithms
-
@dalicollins Thanks for your digging.
Ted Quade
-
@tedquade
The following authentication and encryption settings during the key exchange (in this priority order) are used by Windows:SHA1 + AES-CBC-256 + ECP384 SHA1 + AES-CBC-128 + ECP256 SHA1 + AES-CBC-256 + MODP2048 SHA1 + 3DES-CBC + MODP2048 SHA1 + 3DES-CBC + MODP1024For Phase2 negotiation Windows 10 has the following proposal only:
SHA1 + AES-CBC-128 SHA1 + AES-CBC-256 (Windows 10 1803+)Notice there are no SHA256 Transforms accepted by Windows
It seems all of these settings are hardcoded in the system as the L2TP/IPsec client which explains why rekeying is an issue.
I added SHA1 + AES256 + MODP2048 (DH14) to Phase 1 and SHA1 and AES256 to Phase 2. I will know in 8 hours if this works -
@dalicollins I already have those enabled and the connection would drop at around 8 hours.
Ted Quade
-
@tedquade
My latest test is to use AES256 and SHA1 with pfs2048 as the Windows client. I will see how that goes. I will also try Smart VPN Client.
I am also trying it in OPNsense to see if that fails as well. -
@dalicollins
I have results for the disconnect issue. VPN Connections using pfsense disconnected with the Windows client again after 8 hours. When I tried the exact same IPsec settings in OPNsense I had no disconnects with Windows client or DrayTek Smart VPN Client after 20 hours. In fact with DrayTek I could not even get a connection at all with PFsense. So it appears to be an issue with PFsense. -
@dalicollins Good work. You may want to file a bug report and see what the pfSense folks have to offer.
Ted Quade
-
@tedquade
In my experience bug reports go nowhere for me because you have to be a programmer to give them the info they require. Easier and quicker to just switch to OPNsense on this firewall. I use both for my users. -
@dalicollins Sad but true!
There is nothing quite like a tongue lashing from one of the Gurus.
Ted Quade