Mobile Clients loosing connectivity akter 60 minutes
-
Hi together,
we implemented Mobile Client access with Windows 11 built-In VPN as IKEv2.
Everything works fine, but exactly after 60 minutes, the connectivity gets lost.
No logs on client or PFSense-side that is indicationg the cause of this.
employees must manually reconnect the tunnel to be able to work again.
Lifetimes are set to 10 hours, but this has no effect.Can anyone help?
-
@itBJA said in Mobile Clients loosing connectivity akter 60 minutes:
Mobile Client access with Windows 11 built-In VPN as IKEv2
I googled and found a similar question with at least one reply that seems to point towards a solution.
https://www.reddit.com/r/fortinet/comments/wf0a2m/internet_connection_breaks_every_2030_minutes/So based on this at least, the suggestion would be to check your PFS group settings on clients and pfsense...
-
Well. the Client is Windows-Built in whre you can't change PFS or anything in the frontend, only by Powershell.
I already tried some settings here.
What we did to adapt the settings, is checking the logs on the PF concerning "Received Proposals" and "Configured Proposals" to match them.
But as I understood, the initial PFS Group might be different from a later rekeying, what would be very weird.
I my former company we used this for many years without any issues. -
@itBJA said in Mobile Clients loosing connectivity akter 60 minutes:
But as I understood, the initial PFS Group might be different from a later rekeying, what would be very weird.
That would be wierd, but my understanding is that the initial setup can succeed even if there is a PFS mismatch between the client and server (might even be disabled at the client side). However during later rekey attempts it will certainly fail...
-
I have run into the same issue a while ago.
As others have mentioned, it is due to Windows using DH group 2 (1024 bit) at re-key time, even if it the P1 and P2 are configured with a stronger DH group.Changing the re-key interval to something like 9 hours is the easiest way to minimize disruption.
Other options are to create the client connections using PowerShell to specify a higher DH group, or use DH group 2 on the server.
https://learn.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2025-ps