Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 with MS-EAP disconnects after 20-30mins

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      nippertje
      last edited by

      Hi,

      I have spent a lot of time trying to gt IKEv2 vpn working with the in-built client from Microsoft and with the good help of the forum, have it working OK-ish. The vpn connects (using Win in-built or StrongSWAN for Mac) OK and is useable either with or without split routing. The problem comes after a period of time (sometimes up to an hour but usually within 30 mins) the client stops tunnelling traffic and the connection needs to be forcibly closed.

      I have managed to capture the below (masked) log of what happens when this occurs and wonder if anybody can help me make sense of it and how I might resolve the problem.

      thanks in advance for looking

      James

      <30>Feb  1 22:08:33 charon: 15[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:08:33.631

      192.168.120.254 01/02 22:08:33.632

      <30>Feb  1 22:08:33 charon: 15[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:08:33.633
      <30>Feb  1 22:08:33 charon: 15[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:08:33.687
      192.168.120.254 01/02 22:08:33.689

      <30>Feb  1 22:08:43 charon: 10[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:08:43.643
      192.168.120.254 01/02 22:08:43.644

      <30>Feb  1 22:08:43 charon: 10[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:08:43.646
      <30>Feb  1 22:08:43 charon: 10[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:08:43.667
      192.168.120.254 01/02 22:08:43.668

      <30>Feb  1 22:08:53 charon: 13[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:08:53.658
      192.168.120.254 01/02 22:08:53.659

      <30>Feb  1 22:08:53 charon: 13[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:08:53.660
      <30>Feb  1 22:08:53 charon: 13[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:08:53.666
      192.168.120.254 01/02 22:08:53.667

      <30>Feb  1 22:09:03 charon: 12[IKE] <con3|14499>sending DPD request 192.168.120.254 01/02 22:09:03.670
      192.168.120.254 01/02 22:09:03.671

      <30>Feb  1 22:09:03 charon: 12[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:09:03.673
      <30>Feb  1 22:09:03 charon: 12[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (60 bytes) 192.168.120.254 01/02 22:09:03.678
      192.168.120.254 01/02 22:09:03.679

      <30>Feb  1 22:09:07 charon: 08[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (428 bytes) 192.168.120.254 01/02 22:09:07.432
      <30>Feb  1 22:09:07 charon: 08[ENC] <con3|14499>parsed CREATE_CHILD_SA request 10 [ SA No TSi TSr ] 192.168.120.254 01/02 22:09:07.434
      <30>Feb  1 22:09:07 charon: 08[IKE] <con3|14499>traffic selectors 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0 inacceptable 192.168.120.254 01/02 22:09:07.435
      <30>Feb  1 22:09:07 charon: 08[IKE] <con3|14499>failed to establish CHILD_SA, keeping IKE_SA 192.168.120.254 01/02 22:09:07.436
      <30>Feb  1 22:09:07 charon: 08[ENC] <con3|14499>generating CREATE_CHILD_SA response 10 [ N(TS_UNACCEPT) ] 192.168.120.254 01/02 22:09:07.438
      <30>Feb  1 22:09:07 charon: 08[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (68 bytes) 192.168.120.254 01/02 22:09:07.439
      <30>Feb  1 22:09:10 charon: 14[NET] <con3|14499>received packet: from 176.26.31.75[39060] to 88.211.xxx.xxx[4500] (68 bytes) 192.168.120.254 01/02 22:09:11.163
      <30>Feb  1 22:09:10 charon: 14[ENC] <con3|14499>parsed INFORMATIONAL request 11 [ D ] 192.168.120.254 01/02 22:09:11.165
      <30>Feb  1 22:09:10 charon: 14[IKE] <con3|14499>received DELETE for IKE_SA con3[14499] 192.168.120.254 01/02 22:09:11.168
      <30>Feb  1 22:09:10 charon: 14[IKE] <con3|14499>deleting IKE_SA con3[14499] between 88.211.xxx.xxx[itb-her-gw-1.xxxxxxxx.co.uk]…176.26.31.75[192.168.200.28] 192.168.120.254 01/02 22:09:11.169
      <30>Feb  1 22:09:10 charon: 14[IKE] <con3|14499>IKE_SA deleted 192.168.120.254 01/02 22:09:11.171
      192.168.120.254 01/02 22:09:11.172

      <30>Feb  1 22:09:10 charon: 14[NET] <con3|14499>sending packet: from 88.211.xxx.xxx[4500] to 176.26.31.75[39060] (60 bytes) 192.168.120.254 01/02 22:09:11.173
      <30>Feb  1 22:09:10 charon: 14[CFG] <con3|14499>lease 192.168.125.3 by 'xxxxxxxx\xxxxx' went offline 192.168.120.254 01/02 22:09:11.175</con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499></con3|14499>

      1 Reply Last reply Reply Quote 0
      • N Offline
        nippertje
        last edited by

        Sorted it out myself. If anybody else has this issue, make sure you haven't got 'PFS key group' set to anything else but 'off' - through troubleshooting issues with it not working with latest Insider Release of Windows 10, it got switched on. Doh!

        1 Reply Last reply Reply Quote 0
        • L Offline
          lst_hoe
          last edited by

          Are you sure that the problem is solved?
          We struggle with Windows 10 1607 since some update pack introduced the "feature" that the VPN is hang-up after some short time without traffic. Windows 10 1511 fully patched and Windows 7 are working fine with the very same settings. To reproduce open the VPN, do some ping across the VPN to see its working and than do nothing for around 5 minutes. The next ping fail and the VPN is closed. This is with all Windows 10 1607 machine at patch level higher than around 11/2016.
          It would be nice if you can confirm either that this scenario is working for you or the same error with idle VPN and Windows 10 1607. The "PFS key group" is set to "off" in our case and was never touched.

          Regards

          Andreas

          1 Reply Last reply Reply Quote 0
          • L Offline
            lst_hoe
            last edited by

            Looks like this one BTW:

            https://answers.microsoft.com/en-us/windows/forum/windows_10-networking/vpn-disconnect-after-1-minute-of-inactivity/3f21310c-d1db-4816-81b1-670fb2c614b2

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.