IPSec Tunnel not staying up

IT_TI

Hello, I configured an IP Sec tunnel from PFSENSE to several sonicwalls and the VPN tunnel does not stay up.

I disabled DPD and looked for disabling the NAT-T option but did not see that.

Here is what I am currently running. Any advice would be greatly appreciated.

System Super Micro 1537
Serial: UM22BS026769
Netgate Device ID: d3710efbc36c8da7bc3e
BIOS Vendor: American Megatrends Inc.
Version: 2.0c
Release Date: Thu Jun 27 2019
Boot Environment Current: default
Next: default
Version 23.05-RELEASE (amd64)
built on Mon May 22 15:04:36 UTC 2023
FreeBSD 14.0-CURRENT

michmoor

@IT_TI
No logs were provided. Impossible to say why your tunnel isnt staying up.

IT_TI

Jun 27 14:55:22 charon 41373 13[ENC] <con4|15993> generating INFORMATIONAL request 1247 [ ]
Jun 27 14:55:22 charon 41373 13[NET] <con4|15993> sending packet: from PFSenseWAN[500] to Sonicwall WAN2[500] (80 bytes)
Jun 27 14:55:22 charon 41373 13[NET] <con4|15993> received packet: from Sonicwall WAN2[500] to PFSenseWAN[500] (80 bytes)
Jun 27 14:55:22 charon 41373 13[ENC] <con4|15993> parsed INFORMATIONAL response 1247 [ ]
Jun 27 14:55:22 charon 41373 13[IKE] <con4|15993> activating new tasks
Jun 27 14:55:22 charon 41373 13[IKE] <con4|15993> nothing to initiate
Jun 27 14:55:23 charon 41373 13[KNL] creating acquire job for policy PFSenseWAN/32|/0 === Sonicwall WAN1/32|/0 with reqid {1}
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> queueing CHILD_CREATE task
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> activating new tasks
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> activating CHILD_CREATE task
Jun 27 14:55:23 charon 41373 13[CFG] <con3|15995> proposing traffic selectors for us:
Jun 27 14:55:23 charon 41373 13[CFG] <con3|15995> 10.8.16.0/22|/0
Jun 27 14:55:23 charon 41373 13[CFG] <con3|15995> proposing traffic selectors for other:
Jun 27 14:55:23 charon 41373 13[CFG] <con3|15995> 10.4.16.0/21|/0
Jun 27 14:55:23 charon 41373 13[CFG] <con3|15995> configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> establishing CHILD_SA con3{304439} reqid 1
Jun 27 14:55:23 charon 41373 13[ENC] <con3|15995> generating CREATE_CHILD_SA request 4495 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
Jun 27 14:55:23 charon 41373 13[NET] <con3|15995> sending packet: from PFSenseWAN[500] to Sonicwall WAN1[500] (476 bytes)
Jun 27 14:55:23 charon 41373 13[NET] <con3|15995> received packet: from Sonicwall WAN1[500] to PFSenseWAN[500] (76 bytes)
Jun 27 14:55:23 charon 41373 13[ENC] <con3|15995> parsed CREATE_CHILD_SA response 4495 [ N(NO_PROP) ]
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jun 27 14:55:23 charon 41373 13[CFG] <con3|15995> configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> failed to establish CHILD_SA, keeping IKE_SA
Jun 27 14:55:23 charon 41373 13[CHD] <con3|15995> CHILD_SA con3{304439} state change: CREATED => DESTROYING
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> activating new tasks
Jun 27 14:55:23 charon 41373 13[IKE] <con3|15995> nothing to initiate
Jun 27 14:55:24 charon 41373 10[KNL] creating acquire job for policy PFSenseWAN/32|/0 === Sonicwall WAN1/32|/0 with reqid {1}
Jun 27 14:55:24 charon 41373 10[IKE] <con3|15995> queueing CHILD_CREATE task
Jun 27 14:55:24 charon 41373 10[IKE] <con3|15995> activating new tasks
Jun 27 14:55:24 charon 41373 10[IKE] <con3|15995> activating CHILD_CREATE task
Jun 27 14:55:24 charon 41373 10[CFG] <con3|15995> proposing traffic selectors for us:
Jun 27 14:55:24 charon 41373 10[CFG] <con3|15995> 10.8.16.0/22|/0
Jun 27 14:55:24 charon 41373 10[CFG] <con3|15995> proposing traffic selectors for other:
Jun 27 14:55:24 charon 41373 10[CFG] <con3|15995> 10.4.16.0/21|/0
Jun 27 14:55:24 charon 41373 10[CFG] <con3|15995> configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Jun 27 14:55:24 charon 41373 10[IKE] <con3|15995> establishing CHILD_SA con3{304440} reqid 1

michmoor

@IT_TI Still not enough information to investigate.
The tunnel establishes as you said.
Are you able to pass traffic through the tunnel (ping the other side, http/https, etc...) ?

IT_TI

For a while, then it just drops, i have to disable and re-enable it for it come up again.
I am troubleshooting for the PfSense I did not purchase but the person who did is no longer with company and I am not that familiar with them, sorry.

michmoor

@IT_TI
Are all the parameters exactly alike?
So for example are the SA negotiation timers exactly alike? Typically 2800 seconds for P1 and 3600 seconds for P2.

All parameters should be exactly the same.

IT_TI

Yes, same across the line, and I can ping traffic just fine when it is up, it just goes down which sucks cause I have resources that I need to access on occasion

michmoor

@IT_TI
I will pass along advice @stephenw10 gave me when troubleshooting IPsec performance problems. Switch to NAT-T.
Some ISPs do not like seeing IPsec (UDP 500) traffic on their network and will attempt to throttle or stop this traffic. ISP in the east coast, Altice, has been a pain regarding this.
So switch to NAT-T/Force and see if the tunnels stop dropping.

IT_TI

Yeah, my other sites not using PFSense stay up all the time no issues, I feel like it is a little configuration setting I have not found yet.
Thanks.