IKEv2 Issues between PF Sense and Cisco 1941



  • Hey everyone!

    I'm new to the forum but I was hoping to possibly find some help here on a weird issue we're having. I'm not a PF Sense expert, but I'll do my best to explain the situation..

    We have a Cisco ISR 1941 at our physical location, let's call this location site A. This connects with an IKEv2 VPN tunnel to our PF Sense (2.3.2), we'll call this site B. Site B is a Colocation.

    Both phase 1 and phase 2 connect fine, LAN traffic passes in both directions. However, according to Cisco TAC there is an IKEv2 issue with connecting to a third party router (PF Sense, in this case). I still have a case open with Cisco TAC troubleshooting that, but wanted to check here to see if there was anything that could be done on the PF Sense to help the situation..

    The PF Sense appears to keep sending phase 1 re-key request to the Cisco, the Cisco 1941 already has the tunnel established so it discards this re-key request but every time it does this, the DH Sessions value increments and maxes out at 1050. Once it hits 1050, which generally takes around 6-8 hours. Once this happens, the VPN tunnel goes down and the router needs to be restarted to clear all of the sessions.

    I know this is an issue with the Cisco. But does anyone know if there's a way to prevent the PF Sense from sending these re-key request?

    Thanks



  • Hello,

    On pfSense you find this Option on the tunnelconfig: VPN/IPsec/ Tunnels/Edit Phase 1: ckeck the box "Disable rekey" to Disables renegotiation when a connection is about to expire.

    greez