Connected VPN mobile clients stop working after ~15mins
-
Good morning,
I have set up mobile VPN following this guide - https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2
Everything appears to be working except for after a little while the client shows it is connected but traffic doesn't appear to be passing. Disconnecting and reconnecting fixes this every time. I did try a quick test from a second device of leaving open a monitoring webpage that should keep updating to see if this was due to idle time but this doesn't seem to make any difference.
Apologies for the lack of detail here, I am not at home right now. I can provide logs and cofigurations when I get back but if anyone can suggest where to start looking I would be most grateful, thank you.
-
tl:dr - I misread the guide. Hope this helps someone else.
This is what I think is relevant from the logs.
Jun 5 13:47:04 charon 10[ENC] <con1|364>generating CREATE_CHILD_SA response 29 [ N(NO_PROP) ] Jun 5 13:47:04 charon 10[IKE] <con1|364>failed to establish CHILD_SA, keeping IKE_SA Jun 5 13:47:04 charon 10[IKE] <con1|364>no acceptable proposal found Jun 5 13:47:04 charon 10[CFG] <con1|364>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jun 5 13:47:04 charon 10[CFG] <con1|364>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ Jun 5 13:47:04 charon 10[ENC] <con1|364>parsed CREATE_CHILD_SA request 29 [ SA No TSi TSr ]</con1|364></con1|364></con1|364></con1|364></con1|364></con1|364>Being new to this I took a guess that I'd configured MODP_1024 on pfSense but my phone didn't support this:
pfSense: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Phone: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQI only had two values in my setup that looked like they were 1024 and realised I had read the guide wrong and enabled or left at default PFS. Disabling it seems to have resolved this.