Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Mobile Clients loosing connectivity akter 60 minutes

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 595 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itBJA
      last edited by

      Hi together,
      we implemented Mobile Client access with Windows 11 built-In VPN as IKEv2.
      Everything works fine, but exactly after 60 minutes, the connectivity gets lost.
      No logs on client or PFSense-side that is indicationg the cause of this.
      employees must manually reconnect the tunnel to be able to work again.
      Lifetimes are set to 10 hours, but this has no effect.

      Can anyone help?

      G 1 Reply Last reply Reply Quote 0
      • G
        Gblenn @itBJA
        last edited by

        @itBJA said in Mobile Clients loosing connectivity akter 60 minutes:

        Mobile Client access with Windows 11 built-In VPN as IKEv2

        I googled and found a similar question with at least one reply that seems to point towards a solution.
        https://www.reddit.com/r/fortinet/comments/wf0a2m/internet_connection_breaks_every_2030_minutes/

        So based on this at least, the suggestion would be to check your PFS group settings on clients and pfsense...

        1 Reply Last reply Reply Quote 0
        • I
          itBJA
          last edited by

          Well. the Client is Windows-Built in whre you can't change PFS or anything in the frontend, only by Powershell.
          I already tried some settings here.
          What we did to adapt the settings, is checking the logs on the PF concerning "Received Proposals" and "Configured Proposals" to match them.
          But as I understood, the initial PFS Group might be different from a later rekeying, what would be very weird.
          I my former company we used this for many years without any issues.

          G 1 Reply Last reply Reply Quote 1
          • G
            Gblenn @itBJA
            last edited by

            @itBJA said in Mobile Clients loosing connectivity akter 60 minutes:

            But as I understood, the initial PFS Group might be different from a later rekeying, what would be very weird.

            That would be wierd, but my understanding is that the initial setup can succeed even if there is a PFS mismatch between the client and server (might even be disabled at the client side). However during later rekey attempts it will certainly fail...

            1 Reply Last reply Reply Quote 1
            • A
              andrew_cb
              last edited by

              I have run into the same issue a while ago.
              As others have mentioned, it is due to Windows using DH group 2 (1024 bit) at re-key time, even if it the P1 and P2 are configured with a stronger DH group.

              Changing the re-key interval to something like 9 hours is the easiest way to minimize disruption.

              Other options are to create the client connections using PowerShell to specify a higher DH group, or use DH group 2 on the server.

              https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2025-ps

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.