Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connected VPN mobile clients stop working after ~15mins

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 769 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jonesr
      last edited by

      Good morning,

      I have set up mobile VPN following this guide - https://doc.pfsense.org/index.php/IKEv2_with_EAP-MSCHAPv2

      Everything appears to be working except for after a little while the client shows it is connected but traffic doesn't appear to be passing. Disconnecting and reconnecting fixes this every time. I did try a quick test from a second device of leaving open a monitoring webpage that should keep updating to see if this was due to idle time but this doesn't seem to make any difference.

      Apologies for the lack of detail here, I am not at home right now. I can provide logs and cofigurations when I get back but if anyone can suggest where to start looking I would be most grateful, thank you.

      pfSense AMD64 VGA - Assume latest version.
      Suricata, pfBlockerNG, SquidGuard, squid3.

      1 Reply Last reply Reply Quote 0
      • J Offline
        jonesr
        last edited by

        tl:dr - I misread the guide. Hope this helps someone else.

        This is what I think is relevant from the logs.

        
        Jun 5 13:47:04 	charon 		10[ENC] <con1|364>generating CREATE_CHILD_SA response 29 [ N(NO_PROP) ]
        Jun 5 13:47:04 	charon 		10[IKE] <con1|364>failed to establish CHILD_SA, keeping IKE_SA
        Jun 5 13:47:04 	charon 		10[IKE] <con1|364>no acceptable proposal found
        Jun 5 13:47:04 	charon 		10[CFG] <con1|364>configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
        Jun 5 13:47:04 	charon 		10[CFG] <con1|364>received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
        Jun 5 13:47:04 	charon 		10[ENC] <con1|364>parsed CREATE_CHILD_SA request 29 [ SA No TSi TSr ]</con1|364></con1|364></con1|364></con1|364></con1|364></con1|364> 
        

        Being new to this I took a guess that I'd configured MODP_1024 on pfSense but my phone didn't support this:

        pfSense: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
        Phone: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ

        I only had two values in my setup that looked like they were 1024 and realised I had read the guide wrong and enabled or left at default PFS. Disabling it seems to have resolved this.

        pfSense AMD64 VGA - Assume latest version.
        Suricata, pfBlockerNG, SquidGuard, squid3.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.