How to disable keep alive on pfsense 2.3.2
-
Hello Forum,
I noticed that pfsense send keep alive even if I didn't configured it on the P2.
Lifetime set at 600s.
When i start the tunnel from pfsense or ASA it shuts down correctly after this 10 min.
When i start the tunnel with a connection, it stays up till 30 min and then goes down.Is there a settings to disable the keep alive? Or is somewhere else the issue (maybe on the Cisco ASA even if the keep alive is send from pfSense?)
Details Setup:
2.3.2-RELEASE (amd64)
FreeBSD 10.3-RELEASE-p5
I use NAT-T.
Pfsense - Cisco ASA 5505Config pfsense:
conn con11000
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = no
mobike = norekey = no
installpolicy = yes
type = tunnel
dpdaction = none
auto = route
left = x.x.x.x
right = x.x.x.x
leftid = x.x.x.x
ikelifetime = 600s
lifetime = 600s
ike = aes256-sha1-modp1024!
esp = aes256-sha1-modp1024!
leftauth = psk
rightauth = psk
rightid = x.x.x.x
aggressive = no
rightsubnet = x.x.x.x/28
leftsubnet = x.x.x.x|x.x.x.xLogs:
Nov 7 15:06:35charon09[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:06:15charon09[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:05:55charon06[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:05:35charon15[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:05:15charon15[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:04:55charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:04:35charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:04:15charon08[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:03:55charon08[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:03:41charon13[IKE] <con11000|100481> closing CHILD_SA con11000{62040} with SPIs c168c3b7_i (0 bytes) 2ff6274f_o (0 bytes) and TS x.x.x.x/32|x.x.x.x/32 === x.x.x.x/28|/0 Nov 7 15:03:41charon13[IKE] <con11000|100481> received DELETE for ESP CHILD_SA with SPI 2ff6274f Nov 7 15:03:41charon13[ENC] <con11000|100481> parsed INFORMATIONAL_V1 request 3431964197 [ HASH D ] Nov 7 15:03:41charon13[NET] <con11000|100481> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes) Nov 7 15:03:35charon13[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:03:11charon08[IKE] <con11000|100481> CHILD_SA con11000{62051} established with SPIs cd1bdf6f_i a02ce8ce_o and TS x.x.x.x/32|x.x.x.x/32 === x.x.x.x/28|/0 Nov 7 15:03:11charon08[CHD] <con11000|100481> SPI 0xa02ce8ce, src x.x.x.x dst x.x.x.x Nov 7 15:03:11charon08[CHD] <con11000|100481> adding outbound ESP SA Nov 7 15:03:11charon08[CHD] <con11000|100481> SPI 0xcd1bdf6f, src x.x.x.x dst x.x.x.x Nov 7 15:03:11charon08[CHD] <con11000|100481> adding inbound ESP SA Nov 7 15:03:11charon08[CHD] <con11000|100481> using HMAC_SHA1_96 for integrity Nov 7 15:03:11charon08[CHD] <con11000|100481> using AES_CBC for encryption Nov 7 15:03:11charon08[ENC] <con11000|100481> parsed QUICK_MODE request 3715783066 [ HASH ] Nov 7 15:03:11charon08[NET] <con11000|100481> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes) Nov 7 15:03:11charon08[NET] <con11000|100481> sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (332 bytes) Nov 7 15:03:11charon08[ENC] <con11000|100481> generating QUICK_MODE response 3715783066 [ HASH SA No KE ID ID ] Nov 7 15:03:11charon08[IKE] <con11000|100481> detected rekeying of CHILD_SA con11000{62040} Nov 7 15:03:11charon08[IKE] <con11000|100481> received 4608000000 lifebytes, configured 0 Nov 7 15:03:11charon08[IKE] <con11000|100481> received 600s lifetime, configured 0s Nov 7 15:03:11charon08[CFG] <con11000|100481> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 7 15:03:11charon08[CFG] <con11000|100481> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 7 15:03:11charon08[CFG] <con11000|100481> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Nov 7 15:03:11charon08[CFG] <con11000|100481> proposal matches Nov 7 15:03:11charon08[CFG] <con11000|100481> selecting proposal: Nov 7 15:03:11charon08[CFG] <con11000|100481> config: x.x.x.x/32|x.x.x.x/32, received: x.x.x.x/32|/0 => match: x.x.x.x/32|x.x.x.x/32 Nov 7 15:03:11charon08[CFG] <con11000|100481> selecting traffic selectors for us: Nov 7 15:03:11charon08[CFG] <con11000|100481> config: x.x.x.x/28|/0, received: x.x.x.x/28|/0 => match: x.x.x.x/28|/0 Nov 7 15:03:11charon08[CFG] <con11000|100481> selecting traffic selectors for other: Nov 7 15:03:11charon08[CFG] <con11000|100481> found matching child config "con11000" with prio 10 Nov 7 15:03:11charon08[CFG] <con11000|100481> candidate "con11000" with prio 5+5 Nov 7 15:03:11charon08[CFG] <con11000|100481> x.x.x.x/28|/0 Nov 7 15:03:11charon08[CFG] <con11000|100481> proposing traffic selectors for other: Nov 7 15:03:11charon08[CFG] <con11000|100481> x.x.x.x/32|x.x.x.x/32 Nov 7 15:03:11charon08[CFG] <con11000|100481> proposing traffic selectors for us: Nov 7 15:03:11charon08[CFG] <con11000|100481> looking for a child config for x.x.x.x/32|/0 === x.x.x.x/28|/0 Nov 7 15:03:11charon08[ENC] <con11000|100481> parsed QUICK_MODE request 3715783066 [ HASH SA No KE ID ID ] Nov 7 15:03:11charon08[NET] <con11000|100481> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (316 bytes) Nov 7 15:02:51charon06[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:02:31charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:02:11charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:01:51charon16[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:01:31charon06[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:01:11charon07[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500] Nov 7 15:00:51charon10[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]</con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481>
Logs when the tunnel shuts down:
Nov 7 15:08:17charon09[IKE] <con11000|100494> IKE_SA con11000[100494] state change: DELETING => DESTROYING Nov 7 15:08:17charon09[IKE] <con11000|100494> IKE_SA con11000[100494] state change: DELETING => DELETING Nov 7 15:08:17charon09[IKE] <con11000|100494> IKE_SA con11000[100494] state change: ESTABLISHED => DELETING Nov 7 15:08:17charon09[IKE] <con11000|100494> deleting IKE_SA con11000[100494] between x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] Nov 7 15:08:17charon09[IKE] <con11000|100494> received DELETE for IKE_SA con11000[100494] Nov 7 15:08:17charon09[ENC] <con11000|100494> parsed INFORMATIONAL_V1 request 685091757 [ HASH D ] Nov 7 15:08:17charon09[NET] <con11000|100494> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) Nov 7 15:08:17charon05[IKE] <con11000|100494> closing CHILD_SA con11000{62051} with SPIs cd1bdf6f_i (0 bytes) a02ce8ce_o (0 bytes) and TS 193.246.60.248/32|172.21.96.12/32 === 192.9.200.96/28|/0 Nov 7 15:08:17charon05[IKE] <con11000|100494> received DELETE for ESP CHILD_SA with SPI a02ce8ce Nov 7 15:08:17charon05[ENC] <con11000|100494> parsed INFORMATIONAL_V1 request 2279452261 [ HASH D ] Nov 7 15:08:17charon05[NET] <con11000|100494> received packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes) Nov 7 15:08:01charon13[IKE] <con11000|100494> sending keep alive to x.x.x.x[4500] Nov 7 15:07:51charon15[IKE] <con11000|100481> IKE_SA con11000[100481] state change: DELETING => DESTROYING Nov 7 15:07:51charon15[NET] <con11000|100481> sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (92 bytes) Nov 7 15:07:51charon15[ENC] <con11000|100481> generating INFORMATIONAL_V1 request 2762325536 [ HASH D ] Nov 7 15:07:51charon15[IKE] <con11000|100481> IKE_SA con11000[100481] state change: ESTABLISHED => DELETING Nov 7 15:07:51charon15[IKE] <con11000|100481> sending DELETE for IKE_SA con11000[100481] Nov 7 15:07:51charon15[IKE] <con11000|100481> deleting IKE_SA con11000[100481] between x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] Nov 7 15:07:51charon15[IKE] <con11000|100481> activating ISAKMP_DELETE task Nov 7 15:07:51charon15[IKE] <con11000|100481> activating new tasks Nov 7 15:07:51charon15[IKE] <con11000|100481> queueing ISAKMP_DELETE task Nov 7 15:07:41charon16[NET] <con11000|100494> sending packet: from x.x.x.x[4500] to x.x.x.x[4500] (76 bytes) Nov 7 15:07:41charon16[ENC] <con11000|100494> generating ID_PROT response 0 [ ID HASH ] Nov 7 15:07:41charon16[IKE] <con11000|100494> IKE_SA con11000[100494] state change: CONNECTING => ESTABLISHED Nov 7 15:07:41charon16[IKE] <con11000|100494> IKE_SA con11000[100494] established between x.x.x.x[x.x.x.x]...x.x.x.x[x.x.x.x] Nov 7 15:07:41charon16[IKE] <con11000|100481> detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs Nov 7 15:07:41charon16[CFG] <100494> selected peer config "con11000" Nov 7 15:07:41charon16[CFG] <100494> candidate "con11000", match: 1/20/3100 (me/other/ike) Nov 7 15:07:41charon16[CFG] <100494> candidate "con11000", match: 1/1/3100 (me/other/ike) Nov 7 15:07:35charon13[IKE] <con11000|100481> sending keep alive to x.x.x.x[4500]</con11000|100481></con11000|100481></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100481></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494></con11000|100494>