Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC - Pfsense to Endian

    IPsec
    1
    1
    330
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      plouro last edited by

      Hi all,

      Need some advise there is something really weird happening with this IPSec connection between my pfsense and our client endian firewall.

      I have beside this another 3 IPSEC connections, two for Azure and one for another pfsense wich works great and never had problems.

      The behavior is has follow: Randomly the traffic between sites drops, and neither we or our client have traffic, note that both Phase1 and Phase2 still up.

      I bold out a AUTH_LIFETIME wich is weird, im receiving a LIFETIME of 311039045s for Phase1? could this be what causes the traffic

      Please Advise,
      Thank You

      This is our configuration:

      Phase 1 Negotiation
      IKE v2
      Auth Mutual PSK
      Negotiation Main
      My Identifier IP Address
      Peer Idenifier IP Address

      Phase 1 Algorithms
      Encryption Algorithm AES - 128 bits
      Hash Algorithm SHA256
      DH Group 5
      Lifetime 86400

      Dead Pear Detection
      Delay 20
      Max Failures 10

      Phase2 Proposals (SA/KEY)
      Protocol ESP
      Encryption Algorithms AES - 128bits
      Hash Algorithms SHA1
      PFS Key Group 5
      Lifetime 3600

      Sep 28 10:09:58 charon 12[KNL] creating acquire job for policy xxx.xxx.xxx.xxx /32|/0 === xxx.xxx.xxx.xxx /32|/0 with reqid {20}
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_VENDOR task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_INIT task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_NATD task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_PRE task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_POST task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CONFIG task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH_LIFETIME task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing CHILD_CREATE task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_VENDOR task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_INIT task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_NATD task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_PRE task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_POST task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CONFIG task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating CHILD_CREATE task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH_LIFETIME task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>initiating IKE_SA con5[316] to xxx.xxx.xxx.xxx
      Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CREATED => CONNECTING
      Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (400 bytes)
      Sep 28 10:09:58 charon 12[ENC] <con1000|315>parsed INFORMATIONAL_V1 request 1492175773 [ HASH N(DPD_ACK) ]
      Sep 28 10:09:58 charon 12[IKE] <con1000|315>activating new tasks
      Sep 28 10:09:58 charon 12[IKE] <con1000|315>nothing to initiate
      Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (437 bytes)
      Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
      Sep 28 10:09:58 charon 12[IKE] <con5|316>received SIGNATURE_HASH_ALGORITHMS notify
      Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
      Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
      Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
      Sep 28 10:09:58 charon 12[IKE] <con5|316>local host is behind NAT, sending keep alives
      Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid 93:01:4e:11:d0:ef:13:28:39:da:2f:b0:2c:d6:00:10:4a:af:8c:c0
      Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid f2:f1:10:b0:5d:22:e6:b8:15:05:3e:1a:0b:69:35:f8:2e:0e:b9:28
      Sep 28 10:09:58 charon 12[IKE] <con5|316>received 2 cert requests for an unknown ca
      Sep 28 10:09:58 charon 12[IKE] <con5|316>reinitiating already active tasks
      Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_CERT_PRE task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_AUTH task
      Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' (myself) with pre-shared key
      Sep 28 10:09:58 charon 12[IKE] <con5|316>successfully created shared key MAC
      Sep 28 10:09:58 charon 12[IKE] <con5|316>establishing CHILD_SA con5{20}
      Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for us:
      Sep 28 10:09:58 charon 12[CFG] <con5|316>10.217.80.0/24|/0
      Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for other:
      Sep 28 10:09:58 charon 12[CFG] <con5|316>192.168.0.0/24|/0
      Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
      Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (256 bytes)
      Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (224 bytes)
      Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
      Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' with pre-shared key successful
      Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] established between xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]…xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]
      Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CONNECTING => ESTABLISHED
      Sep 28 10:09:58 charon 12[IKE] <con5|316>scheduling reauthentication in 85445s
      Sep 28 10:09:58 charon 12[IKE] <con5|316>maximum IKE_SA lifetime 85985s
      Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
      Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
      Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
      Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for us:
      Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 10.217.80.0/24|/0, received: 10.217.80.0/24|/0 => match: 10.217.80.0/24|/0
      Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for other:
      Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 192.168.0.0/24|/0, received: 192.168.0.0/24|/0 => match: 192.168.0.0/24|/0
      Sep 28 10:09:58 charon 12[CHD] <con5|316>using AES_CBC for encryption
      Sep 28 10:09:58 charon 12[CHD] <con5|316>using HMAC_SHA1_96 for integrity
      Sep 28 10:09:58 charon 12[CHD] <con5|316>adding inbound ESP SA
      Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc86491ee, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
      Sep 28 10:09:58 charon 12[CHD] <con5|316>adding outbound ESP SA
      Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc3c4c5d9, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
      Sep 28 10:09:58 charon 12[IKE] <con5|316>CHILD_SA con5{3337} established with SPIs c86491ee_i c3c4c5d9_o and TS 10.217.80.0/24|/0 === 192.168.0.0/24|/0
      Sep 28 10:09:58 charon 12[IKE] <con5|316>received AUTH_LIFETIME of 311039045s, reauthentication already scheduled in 85445s</con5|316>
      Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
      Sep 28 10:09:58 charon 12[IKE] <con5|316>nothing to initiate</con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con1000|315></con1000|315></con1000|315></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316>

      1 Reply Last reply Reply Quote 0
      • First post
        Last post