IPSec Road Warrior re-authentication interval
-
Hi,
I googled, searched the forum - perhaps I don't know the precise terms to search because I came up empty handed.
I have road warrior up and running between 2.0.1-RELEASE (amd64) and Lion 10.7.3. Xauth authentication, password stored locally - does not ask for password on connect. Everything works fine, except for one very annoying thing: Approx every 45 minutes (sometimes 48 mins, sometimes 1 hour), a window pops up and asks me to re-enter my password. How do I disable this behavior? If I connect, I want to stay connected without entering password until I manually disconnect.
Thanks!
-
You might try increasing the P1/P2 lifetime values to see if that affects it. I'm not sure why it would force you to log back in when it re-keys, but that's the only thing I can think of that's on a timer in the default setup.
-
i have the same exact problem, on the same exact setup – have you been able to solve this annoying issue?
This is a blocker for using ipsec on mobile client -- i can't ask users to have to re-auth ever 40mins(et al) ... what is this issue? is it a bug?
-
Has anyone made progress with this? Does increasing the lifetime fix it?
-
Changing the lifetime appears to have no effect.
pfSense 2.0.1
OS X 10.8.2 -
Does anyone out there have mobile clients working with either iOS or OS X clients which stay connected for long periods of time (rekey correctly)? If so could you post your config.
Mine is:
remote anonymous { ph1id 2; exchange_mode aggressive; my_identifier address x.x.x.x; peers_identifier keyid tag "..."; ike_frag on; generate_policy = unique; initial_contact = off; nat_traversal = on; dpd_delay = 10; dpd_maxfail = 5; support_proxy on; proposal_check claim; passive on; proposal { authentication_method xauth_psk_server; encryption_algorithm aes 128; hash_algorithm sha1; dh_group 2; lifetime time 28800 secs; } } sainfo anonymous { remoteid 2; encryption_algorithm aes 128; authentication_algorithm hmac_sha1; lifetime time 3600 secs; compression_algorithm deflate; } mode_cfg { auth_source system; group_source system; pool_size 253; network4 192.168.103.1; netmask4 255.255.255.0; split_network include x.x.x.x/24; dns4 x.x.x.x; default_domain "x.x.x"; split_dns "x.x.x"; banner "/var/etc/racoon.motd"; save_passwd on; }
-
hey guys,
any news about this issue?I have the same problem
pfsense 2.1 Beta0
OS X clients 10.7.5 and 10.8.1 -
From the reading I've been doing this has to do the way Apple has OS X set up. They require that the IPSec server specify that the client does't need to attempt reauthentication when rekeying. I'm guessing that a the devs would have to patch racoon to do this, since I don't think it has this functionally by default.