IPSec Road Warrior re-authentication interval

jacksonm · Apr 16, 2012, 10:01 AM

Hi,

I googled, searched the forum - perhaps I don't know the precise terms to search because I came up empty handed.

I have road warrior up and running between 2.0.1-RELEASE (amd64) and Lion 10.7.3. Xauth authentication, password stored locally - does not ask for password on connect. Everything works fine, except for one very annoying thing: Approx every 45 minutes (sometimes 48 mins, sometimes 1 hour), a window pops up and asks me to re-enter my password. How do I disable this behavior? If I connect, I want to stay connected without entering password until I manually disconnect.

Thanks!

jimp · Apr 24, 2012, 3:04 PM

You might try increasing the P1/P2 lifetime values to see if that affects it. I'm not sure why it would force you to log back in when it re-keys, but that's the only thing I can think of that's on a timer in the default setup.

jedblack · May 30, 2012, 2:05 AM

i have the same exact problem, on the same exact setup – have you been able to solve this annoying issue?

This is a blocker for using ipsec on mobile client -- i can't ask users to have to re-auth ever 40mins(et al) ... what is this issue? is it a bug?

joegeorge · Sep 24, 2012, 12:52 PM

Has anyone made progress with this? Does increasing the lifetime fix it?

joegeorge · Sep 24, 2012, 4:53 PM

Changing the lifetime appears to have no effect.

pfSense 2.0.1
OS X 10.8.2

joegeorge · Sep 25, 2012, 7:42 PM

Does anyone out there have mobile clients working with either iOS or OS X clients which stay connected for long periods of time (rekey correctly)? If so could you post your config.

Mine is:

remote anonymous
{
        ph1id 2;
        exchange_mode aggressive;
        my_identifier address x.x.x.x;
        peers_identifier keyid tag "...";
        ike_frag on;
        generate_policy = unique;
        initial_contact = off;
        nat_traversal = on;

        dpd_delay = 10;
        dpd_maxfail = 5;
        support_proxy on;
        proposal_check claim;
        passive on;

        proposal
        {
                authentication_method xauth_psk_server;
                encryption_algorithm aes 128;
                hash_algorithm sha1;
                dh_group 2;
                lifetime time 28800 secs;
        }
}

sainfo   anonymous
{
        remoteid 2;
        encryption_algorithm aes 128;
        authentication_algorithm hmac_sha1;

        lifetime time 3600 secs;
        compression_algorithm deflate;
}
mode_cfg
{
        auth_source system;
        group_source system;
        pool_size 253;
        network4 192.168.103.1;
        netmask4 255.255.255.0;
        split_network include x.x.x.x/24;
        dns4 x.x.x.x;
        default_domain "x.x.x";
        split_dns "x.x.x";
        banner "/var/etc/racoon.motd";
        save_passwd on;
}

HannesMoe · Oct 20, 2012, 6:13 PM

hey guys,
any news about this issue?

I have the same problem
pfsense 2.1 Beta0
OS X clients 10.7.5 and 10.8.1

joegeorge · Oct 21, 2012, 12:32 AM

From the reading I've been doing this has to do the way Apple has OS X set up. They require that the IPSec server specify that the client does't need to attempt reauthentication when rekeying. I'm guessing that a the devs would have to patch racoon to do this, since I don't think it has this functionally by default.