PfSense to ASA VPN Phase 2 Issue
-
Hello everyone. I'm hoping some might be able to gain me some insight on an issue I'm working on.
I have pfSense firewalls at some sites that are establishing a site-to-site VPN tunnel back to an ASA at our main office. On the main office side I have two subnets I've specified as interesting. On the site office side I have one subnet.
The tunnel appears to establish on phase 1 without any issue, but only establishes one of the phase 2s at a time. If I start a continuous ping from subnet 1 destined for the remote network, the tunnel establishes a phase 2 connection for those networks. And if I start a continuous ping from subnet 2 of the main office, the tunnel establishes phase 2 for subnet 2, but dumps subnet 1.
I tried doing some research on it and came across a forum post that this used to be a bug. https://forum.pfsense.org/index.php?topic=87786.0
However, according to this post and documentation from pfSense, this should be resolved with firmware release 2.3. I am currently on 2.3. Does anyone have any ideas on where to start in figuring this out?
-
IKEv1 or IKEv2?
If you are really on 2.3 you should absolutely upgrade to 2.3.3-p1. There is a problem that halts traffic on interfaces after a lot of UDP traffic over IPsec that was fixed in later versions.
-
Had this issue as well, labing around a whole day with different encryptions, etc ended up in this config wich works now:
https://forum.pfsense.org/index.php?topic=128369.0I also got a working IKEv2 "vanilla" config from netgate support, wich I'll try when time is on my side. You can try it as well:
P1:
• ikev 2
• Encryption Algorithm AES256
• Hash Algorithm SHA1
• DH Group 5
• Lifetime (Seconds) 3600
P2:
• Encryption Algorithms AES256
• Hash Algorithms SHA1
• PFS key group 5
• Lifetime 3600 -
I would use much longer IKE (P1) and ipsec (P2) lifetimes. Something like 86400/28800 should be more than sufficient.
Most IPsec incompatibilities occur during re-key. Why make it re-key far more often than is necessary?
-
I would use much longer IKE (P1) and ipsec (P2) lifetimes. Something like 86400/28800 should be more than sufficient.
Most IPsec incompatibilities occur during re-key. Why make it re-key far more often than is necessary?
Yea, 99% of problems occurs when re-keying.
About the lifetimes I think you'd have to ask Netgate support since they provided the config. But personally, I will try to use longer lifetimes.