Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IpSec Issue

    Scheduled Pinned Locked Moved IPsec
    11 Posts 3 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • kiokomanK
      kiokoman LAYER 8 @Sergio77
      last edited by kiokoman

      @sergio77
      post the log here,
      probably a rekey issue
      IKEv2 ? Make before Break under advanced options ?

      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
      Please do not use chat/PM to ask for help
      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

      S 1 Reply Last reply Reply Quote 0
      • S
        Sergio77 @kiokoman
        last edited by

        @kiokoman Log_IpSec.zip

        Behind Gateway Edge, the 31.14.137.0/24 is used such as LAN (even if It's wrong...)...

        Thanks
        Sergio

        kiokomanK 1 Reply Last reply Reply Quote 0
        • kiokomanK
          kiokoman LAYER 8 @Sergio77
          last edited by kiokoman

          @sergio77

          Apr 22 10:40:29 pfSense charon[88632]: 08[JOB] CHILD_SA ESP/0xc5ad082e/IP_PUB_PFSENSE not found for rekey
Apr 22 10:40:27 pfSense charon[88632]: 08[JOB] CHILD_SA ESP/0xc5ad082e/IP_PUB_PFSENSE not found for rekey
Apr 22 10:40:24 pfSense charon[88632]: 08[NET] <con100000|2> sending packet: from IP_PUB_PFSENSE[500] to IP_PUB_GATEWAYEDGE[500] (80 bytes)
Apr 22 10:40:24 pfSense charon[88632]: 08[ENC] <con100000|2> generating CREATE_CHILD_SA response 173 [ N(NO_PROP) ]
Apr 22 10:40:24 pfSense charon[88632]: 08[CHD] <con100000|2> CHILD_SA con100000{214} state change: CREATED => DESTROYING
Apr 22 10:40:24 pfSense charon[88632]: 08[IKE] <con100000|2> failed to establish CHILD_SA, keeping IKE_SA
Apr 22 10:40:24 pfSense charon[88632]: 08[IKE] <con100000|2> no acceptable proposal found
Apr 22 10:40:24 pfSense charon[88632]: 08[CFG] <con100000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Apr 22 10:40:24 pfSense charon[88632]: 08[CFG] <con100000|2> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Apr 22 10:40:24 pfSense charon[88632]: 08[CFG] <con100000|2> no acceptable DIFFIE_HELLMAN_GROUP found

          DH group mismatch ?

          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
          Please do not use chat/PM to ask for help
          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

          S 1 Reply Last reply Reply Quote 0
          • S
            Sergio77 @kiokoman
            last edited by

            @kiokoman

            I don't think... the connection is established correctly and It works for an hour... the stop working.

            Look screen, pleaseEdge.png PfSense.png

            kiokomanK 1 Reply Last reply Reply Quote 0
            • kiokomanK
              kiokoman LAYER 8 @Sergio77
              last edited by

              @sergio77

              how about phase2 -> PFS key group ?

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              S 1 Reply Last reply Reply Quote 0
              • S
                Sergio77 @kiokoman
                last edited by

                @kiokoman

                That's It!
                But I say, the tunnel is UP for 1 hour (more or less)...Schermata 2021-04-23 alle 09.45.49.png Schermata 2021-04-23 alle 09.45.38.png Schermata 2021-04-23 alle 09.45.08.png

                L kiokomanK 2 Replies Last reply Reply Quote 0
                • L
                  lst_hoe @Sergio77
                  last edited by

                  @sergio77 Maybe this one? https://redmine.pfsense.org/issues/11524
                  Do you use AES-NI acceleration?

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    Sergio77 @lst_hoe
                    last edited by

                    @lst_hoe said in IpSec Issue:

                    https://redmine.pfsense.org/issues/11524

                    I don't know it.. how can I check is it's enabled?

                    L 1 Reply Last reply Reply Quote 0
                    • L
                      lst_hoe @Sergio77
                      last edited by

                      @sergio77 System -> Advanced -> Miscellaneous -> Cryptographic Hardware
                      Try set this to "None". You should also reboot to get it changed.

                      1 Reply Last reply Reply Quote 0
                      • kiokomanK
                        kiokoman LAYER 8 @Sergio77
                        last edited by

                        @sergio77

                        That's It!

                        the problem has been solved?

                        rekey happens every 54 minutes by default that's why the tunnel is UP for 1 hour (more or less)

                        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                        Please do not use chat/PM to ask for help
                        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.