Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to disable keep alive on pfsense 2.3.2

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scet
      last edited by

      Hello Forum,

      I noticed that pfsense send keep alive even if I didn't configured it on the P2.
      Lifetime set at 600s.
      When i start the tunnel from pfsense or ASA it shuts down correctly after this 10 min.
      When i start the tunnel with a connection, it stays up till 30 min and then goes down.

      Is there a settings to disable the keep alive? Or is somewhere else the issue (maybe on the Cisco ASA even if the keep alive is send from pfSense?)

      Details Setup:
      2.3.2-RELEASE (amd64)
      FreeBSD 10.3-RELEASE-p5
      I use NAT-T.
      Pfsense - Cisco ASA 5505

      Config pfsense:
      conn con11000
      fragmentation = yes
      keyexchange = ikev1
      reauth = yes
      forceencaps = no
      mobike = no

      rekey = no
      installpolicy = yes
      type = tunnel
      dpdaction = none
      auto = route
      left = x.x.x.x
      right = x.x.x.x
      leftid = x.x.x.x
      ikelifetime = 600s
      lifetime = 600s
      ike = aes256-sha1-modp1024!
      esp = aes256-sha1-modp1024!
      leftauth = psk
      rightauth = psk
      rightid = x.x.x.x
      aggressive = no
      rightsubnet = x.x.x.x/28
      leftsubnet = x.x.x.x|x.x.x.x

      Logs:

      Nov 7 15:06:35charon09[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:06:15charon09[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:05:55charon06[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:05:35charon15[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:05:15charon15[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:04:55charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:04:35charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:04:15charon08[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:03:55charon08[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:03:41charon13[IKE] <con11000|100481> closing CHILD_SA con11000{62040} with SPIs c168c3b7_i (0 bytes) 2ff6274f_o (0 bytes) and TS x.x.x.x/32|x.x.x.x/32 === x.x.x.x/28|/0
Nov 7 15:03:41charon13[IKE] <con11000|100481> received DELETE for ESP CHILD_SA with SPI 2ff6274f
Nov 7 15:03:41charon13[ENC] <con11000|100481> parsed INFORMATIONAL_V1 request 3431964197 [ HASH D ]
Nov 7 15:03:41charon13[NET] <con11000|100481> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
Nov 7 15:03:35charon13[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:03:11charon08[IKE] <con11000|100481> CHILD_SA con11000{62051} established with SPIs cd1bdf6f_i a02ce8ce_o and TS x.x.x.x/32|x.x.x.x/32 === x.x.x.x/28|/0
Nov 7 15:03:11charon08[CHD] <con11000|100481> SPI 0xa02ce8ce, src x.x.x.x dst x.x.x.x
Nov 7 15:03:11charon08[CHD] <con11000|100481> adding outbound ESP SA
Nov 7 15:03:11charon08[CHD] <con11000|100481> SPI 0xcd1bdf6f, src x.x.x.x dst x.x.x.x
Nov 7 15:03:11charon08[CHD] <con11000|100481> adding inbound ESP SA
Nov 7 15:03:11charon08[CHD] <con11000|100481> using HMAC_SHA1_96 for integrity
Nov 7 15:03:11charon08[CHD] <con11000|100481> using AES_CBC for encryption
Nov 7 15:03:11charon08[ENC] <con11000|100481> parsed QUICK_MODE request 3715783066 [ HASH ]
Nov 7 15:03:11charon08[NET] <con11000|100481> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
Nov 7 15:03:11charon08[NET] <con11000|100481> sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (332 bytes)
Nov 7 15:03:11charon08[ENC] <con11000|100481> generating QUICK_MODE response 3715783066 [ HASH SA No KE ID ID ]
Nov 7 15:03:11charon08[IKE] <con11000|100481> detected rekeying of CHILD_SA con11000{62040}
Nov 7 15:03:11charon08[IKE] <con11000|100481> received 4608000000 lifebytes, configured 0
Nov 7 15:03:11charon08[IKE] <con11000|100481> received 600s lifetime, configured 0s
Nov 7 15:03:11charon08[CFG] <con11000|100481> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Nov 7 15:03:11charon08[CFG] <con11000|100481> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Nov 7 15:03:11charon08[CFG] <con11000|100481> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Nov 7 15:03:11charon08[CFG] <con11000|100481> proposal matches
Nov 7 15:03:11charon08[CFG] <con11000|100481> selecting proposal:
Nov 7 15:03:11charon08[CFG] <con11000|100481> config: x.x.x.x/32|x.x.x.x/32, received: x.x.x.x/32|/0 => match: x.x.x.x/32|x.x.x.x/32
Nov 7 15:03:11charon08[CFG] <con11000|100481> selecting traffic selectors for us:
Nov 7 15:03:11charon08[CFG] <con11000|100481> config: x.x.x.x/28|/0, received: x.x.x.x/28|/0 => match: x.x.x.x/28|/0
Nov 7 15:03:11charon08[CFG] <con11000|100481> selecting traffic selectors for other:
Nov 7 15:03:11charon08[CFG] <con11000|100481> found matching child config "con11000" with prio 10
Nov 7 15:03:11charon08[CFG] <con11000|100481> candidate "con11000" with prio 5+5
Nov 7 15:03:11charon08[CFG] <con11000|100481> x.x.x.x/28|/0
Nov 7 15:03:11charon08[CFG] <con11000|100481> proposing traffic selectors for other:
Nov 7 15:03:11charon08[CFG] <con11000|100481> x.x.x.x/32|x.x.x.x/32
Nov 7 15:03:11charon08[CFG] <con11000|100481> proposing traffic selectors for us:
Nov 7 15:03:11charon08[CFG] <con11000|100481> looking for a child config for x.x.x.x/32|/0 === x.x.x.x/28|/0
Nov 7 15:03:11charon08[ENC] <con11000|100481> parsed QUICK_MODE request 3715783066 [ HASH SA No KE ID ID ]
Nov 7 15:03:11charon08[NET] <con11000|100481> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (316 bytes)
Nov 7 15:02:51charon06[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:02:31charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:02:11charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:01:51charon16[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:01:31charon06[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:01:11charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]
Nov 7 15:00:51charon10[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]</con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481>

      Logs when the tunnel shuts down:

      Nov 7 15:08:17charon09[IKE] <con11000|100494> IKE_SA con11000[100494] state change: DELETING => DESTROYING
Nov 7 15:08:17charon09[IKE] <con11000|100494> IKE_SA con11000[100494] state change: DELETING => DELETING
Nov 7 15:08:17charon09[IKE] <con11000|100494> IKE_SA con11000[100494] state change: ESTABLISHED => DELETING
Nov 7 15:08:17charon09[IKE] <con11000|100494> deleting IKE_SA con11000[100494] between x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
Nov 7 15:08:17charon09[IKE] <con11000|100494> received DELETE for IKE_SA con11000[100494]
Nov 7 15:08:17charon09[ENC] <con11000|100494> parsed INFORMATIONAL_V1 request 685091757 [ HASH D ]
Nov 7 15:08:17charon09[NET] <con11000|100494> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov 7 15:08:17charon05[IKE] <con11000|100494> closing CHILD_SA con11000{62051} with SPIs cd1bdf6f_i (0 bytes) a02ce8ce_o (0 bytes) and TS 193.246.60.248/32|172.21.96.12/32 === 192.9.200.96/28|/0
Nov 7 15:08:17charon05[IKE] <con11000|100494> received DELETE for ESP CHILD_SA with SPI a02ce8ce
Nov 7 15:08:17charon05[ENC] <con11000|100494> parsed INFORMATIONAL_V1 request 2279452261 [ HASH D ]
Nov 7 15:08:17charon05[NET] <con11000|100494> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
Nov 7 15:08:01charon13[IKE] <con11000|100494> sending keep alive to x.x.x.x[4500]
Nov 7 15:07:51charon15[IKE] <con11000|100481> IKE_SA con11000[100481] state change: DELETING => DESTROYING
Nov 7 15:07:51charon15[NET] <con11000|100481> sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes)
Nov 7 15:07:51charon15[ENC] <con11000|100481> generating INFORMATIONAL_V1 request 2762325536 [ HASH D ]
Nov 7 15:07:51charon15[IKE] <con11000|100481> IKE_SA con11000[100481] state change: ESTABLISHED => DELETING
Nov 7 15:07:51charon15[IKE] <con11000|100481> sending DELETE for IKE_SA con11000[100481]
Nov 7 15:07:51charon15[IKE] <con11000|100481> deleting IKE_SA con11000[100481] between x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
Nov 7 15:07:51charon15[IKE] <con11000|100481> activating ISAKMP_DELETE task
Nov 7 15:07:51charon15[IKE] <con11000|100481> activating new tasks
Nov 7 15:07:51charon15[IKE] <con11000|100481> queueing ISAKMP_DELETE task
Nov 7 15:07:41charon16[NET] <con11000|100494> sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes)
Nov 7 15:07:41charon16[ENC] <con11000|100494> generating ID_PROT response 0 [ ID HASH ]
Nov 7 15:07:41charon16[IKE] <con11000|100494> IKE_SA con11000[100494] state change: CONNECTING => ESTABLISHED
Nov 7 15:07:41charon16[IKE] <con11000|100494> IKE_SA con11000[100494] established between x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x]
Nov 7 15:07:41charon16[IKE] <con11000|100481> detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs
Nov 7 15:07:41charon16[CFG] <100494> selected peer config "con11000"
Nov 7 15:07:41charon16[CFG] <100494> candidate "con11000", match: 1/20/3100 (me/other/ike)
Nov 7 15:07:41charon16[CFG] <100494> candidate "con11000", match: 1/1/3100 (me/other/ike)
Nov 7 15:07:35charon13[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]</con11000|100481></con11000|100481></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494>
      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.