Disconnected phase 2 IPSEC pfsense2.4.4-FORTIGATE
-
**Hello everyone,
Anyone can help me?
Please see my configuration on the pictures. IPSEC can be establised
** but after a while the IPSEC retunrns to inactive.
I have to put disable and enable to reconnect it again.
Could you help me please?
-
i say something is wrong on your config.. IKE Phase 2 ?
where are on your config this ip 192.168.10.2/32 10.0.0.113/32 ?
i can see you have 192.168.10.0/24 and 10.0.0.0/16 -
I have configured 192.168.10.0/24 as local LAN subnet(IPSEC)
and 10.0.0.0/16 as remote subnet (IPSEC)
I didn't configure the sub net 192.168.10.2/32 and 10.0.0.113/32 any where -
Thank you very much kiokoman for your replying. Do you think the Lan subnet (IPSEC) should be more specific?
-
like what? if you have 10.0/24 and 0.0/16 on both side is ok.
maybe try to "Disable rekey" for a test
also you might try stopping and then starting IPsec service (don't use the restart action) -
Please take a look at the log file and here is my new configuration phase1.
-
Even thought, the Disable rekey is cheked. The IPsec still keep turn on to inactive about after 30 mn of connexion.
-
you have another error here,
no acceptable DIFFIE_HELLMAN_GROUP found
check
Encryption Algorithm for PHASE 1 -> both side must use the same settings
and
PFS key group for PHASE 2 -> both side must use the same settings -
Here is my configuration of remote side.
Excatly, I 've cheked on Diffie-Hellman Group 14 and 5 by error.
After the rectification of this error, the status of IPSEC turned to SESSION OUT OF TIME after about 1 hour.
-
@badiane
Hello
What is the lifetime value in PFSense's phase 2 settings ? Also of 3600 seconds ?
Try only on the Fortigate side to reduce this value to 3000 second -
@Konstanti Thank you Konstani. The problem is resolved with
-Enable Replay Detection checked
-Enable Perfect Forward Secrecy checked
-Auto-Negociated checked
