IPsec tunnel stops passing traffic between pfsense and sonicwall NSA 4500

agrikk

network diagram

I have two networks that I am trying to connect via an IPsec VPN tunnel but one of the phase 2 tunnels stops passing traffic. Can someone please help troubleshoot this?

One the left side I have a singe /24 subnet behind a pfsense firewall device (v2.7.2-STABLE). On the right side I have two /24 subnets behind a venerable Sonicwall NSA4500.

After setting up both sides with the configuration below, and poking the proper holes in the firewalls, both VPN tunnels immediately connect and begin to pass traffic.
192.168.1.0 <--> 192.168.3.0
192.168.2.0 <--> 192.168.3.0

the sonicwall shows the main VPN policy as active and both VPN tunnnels as active.
the pfSense device shows the P1 connection as active and both P2 connections active and passing traffic

roughly 45 minutes later (which feels like the expiration of the 3600 second P2 policy) the P2 tunnel for 192.168.1.0 <--> 192.168.3.0 stops passing traffic. All of the connections show as up on both the sonicwall and pfsense, but there is zero traffic across the P2 connection for those two networks.

On the sonicwall, once a minute after the traffic stops flowing I have the following error:
IPSec VPN decryption Failed
Selector Check Error.
Selectors (192.168.2.0 - 192.168.2.225) --> (192.168.3.0 - 192.168.3.225)

If I click "renegotiate" on the sick tunnel (192.168.1.0 <-> 192.168.3.0) on the sonicwall, that tunnel immediately starts passing traffic for another ~45 minutes.

Google tells me that a "Selector Check Error" error is that there is a mismatch between the networks on either side of the tunnel, but I've quadruple checked the link, even trearing it down and rebuilding it multiple times to make sure the settings match, but nothing works. This feels like a red herring.

The crazy thing is I have dozens of static and dynamic BGP tunnels coming out of both firewalls and they are solid. It's just the combination of these two boxes together is making me tear my hair out.

Can anyone help?

=================================

=== pfsense ===
Phase1:
IKEv2
IPv4
Remote gateway: w.x.y.z
Mutual PSK
AES-128
SHA256
DH Group 14
Lifetime 28800
Enable DPD [X]
Delay 10 / Max Failures 5

Phase 2 #1 (connection to 192.168.1.0/24)
mode: Tunnel IPv4
Local network: LAN subnet
Remote network: 192.168.1.0/24

Phase 2 Proposal
ESP
AES-128
SHA256
PFS key group 14
Lifetime: 3600
automatically ping host: 192.168.1.11
keepalive enabled

Phase 2 #2 (connection to 192.168.2.0/24)
mode: Tunnel IPv4
Local network: LAN subnet
Remote network: 192.168.2.0/24

Phase 2 Proposal
ESP
AES-128
SHA256
PFS key group 14
Lifetime: 3600
automatically ping host: 192.168.2.10
keepalive enabled

=== sonicwall ===
policy type: site to site
Auth method: IKE using preshared secret
remote gateway: a.b.c.d

local network: 192.168.1.0 192.168.2.0
remote network 192.168.3.0

phase 1:
IKEv2
DH group 14
AESD-128
SHA256
lifetime: 28800

phase 2:
ESP
AES-128
SHA256
PFS group 14
lifetime 3600
enable keepalive [x]

=================================

agrikk

Okay, so after much headache and frustration, the solution was simple:

Under the P1 entry, scroll down to "Advanced Options" and enable split connections.

"Enable this to split connection entries with multiple phase 2 configurations. Required for remote endpoints that support only a single traffic selector per SA."

The sonicwall only allows one entry for the SA and get around multiple networks by accepting an address object that is a group of other networks. My scenario is literally this.

alt text

patrick.pesegodinski

@agrikk I have this problem between pfsense and mikrotik, in two different locations.

Has your problem stabilized?

agrikk

Yeah, once I got it configured correctly with the multiple phase 2 connections it was rock solid. Bomb-proof even.