4. IPSEC - Pfsense to Endian

IPSEC - Pfsense to Endian

  • P

    Hi all,

    Need some advise there is something really weird happening with this IPSec connection between my pfsense and our client endian firewall.

    I have beside this another 3 IPSEC connections, two for Azure and one for another pfsense wich works great and never had problems.

    The behavior is has follow: Randomly the traffic between sites drops, and neither we or our client have traffic, note that both Phase1 and Phase2 still up.

    I bold out a AUTH_LIFETIME wich is weird, im receiving a LIFETIME of 311039045s for Phase1? could this be what causes the traffic

    Please Advise,
    Thank You

    This is our configuration:

    Phase 1 Negotiation
    IKE v2
    Auth Mutual PSK
    Negotiation Main
    My Identifier IP Address
    Peer Idenifier IP Address

    Phase 1 Algorithms
    Encryption Algorithm AES - 128 bits
    Hash Algorithm SHA256
    DH Group 5
    Lifetime 86400

    Dead Pear Detection
    Delay 20
    Max Failures 10

    Phase2 Proposals (SA/KEY)
    Protocol ESP
    Encryption Algorithms AES - 128bits
    Hash Algorithms SHA1
    PFS Key Group 5
    Lifetime 3600

    Sep 28 10:09:58 charon 12[KNL] creating acquire job for policy xxx.xxx.xxx.xxx /32|/0 === xxx.xxx.xxx.xxx /32|/0 with reqid {20}
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_VENDOR task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_INIT task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_NATD task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_PRE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_POST task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CONFIG task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH_LIFETIME task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing CHILD_CREATE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_VENDOR task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_INIT task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_NATD task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_PRE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_POST task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CONFIG task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating CHILD_CREATE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH_LIFETIME task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>initiating IKE_SA con5[316] to xxx.xxx.xxx.xxx
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CREATED => CONNECTING
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (400 bytes)
    Sep 28 10:09:58 charon 12[ENC] <con1000|315>parsed INFORMATIONAL_V1 request 1492175773 [ HASH N(DPD_ACK) ]
    Sep 28 10:09:58 charon 12[IKE] <con1000|315>activating new tasks
    Sep 28 10:09:58 charon 12[IKE] <con1000|315>nothing to initiate
    Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (437 bytes)
    Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received SIGNATURE_HASH_ALGORITHMS notify
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
    Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[IKE] <con5|316>local host is behind NAT, sending keep alives
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid 93:01:4e:11:d0:ef:13:28:39:da:2f:b0:2c:d6:00:10:4a:af:8c:c0
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid f2:f1:10:b0:5d:22:e6:b8:15:05:3e:1a:0b:69:35:f8:2e:0e:b9:28
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received 2 cert requests for an unknown ca
    Sep 28 10:09:58 charon 12[IKE] <con5|316>reinitiating already active tasks
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_CERT_PRE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_AUTH task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' (myself) with pre-shared key
    Sep 28 10:09:58 charon 12[IKE] <con5|316>successfully created shared key MAC
    Sep 28 10:09:58 charon 12[IKE] <con5|316>establishing CHILD_SA con5{20}
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for us:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>10.217.80.0/24|/0
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for other:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>192.168.0.0/24|/0
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (256 bytes)
    Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (224 bytes)
    Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
    Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' with pre-shared key successful
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] established between xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]…xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CONNECTING => ESTABLISHED
    Sep 28 10:09:58 charon 12[IKE] <con5|316>scheduling reauthentication in 85445s
    Sep 28 10:09:58 charon 12[IKE] <con5|316>maximum IKE_SA lifetime 85985s
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
    Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for us:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 10.217.80.0/24|/0, received: 10.217.80.0/24|/0 => match: 10.217.80.0/24|/0
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for other:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 192.168.0.0/24|/0, received: 192.168.0.0/24|/0 => match: 192.168.0.0/24|/0
    Sep 28 10:09:58 charon 12[CHD] <con5|316>using AES_CBC for encryption
    Sep 28 10:09:58 charon 12[CHD] <con5|316>using HMAC_SHA1_96 for integrity
    Sep 28 10:09:58 charon 12[CHD] <con5|316>adding inbound ESP SA
    Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc86491ee, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
    Sep 28 10:09:58 charon 12[CHD] <con5|316>adding outbound ESP SA
    Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc3c4c5d9, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
    Sep 28 10:09:58 charon 12[IKE] <con5|316>CHILD_SA con5{3337} established with SPIs c86491ee_i c3c4c5d9_o and TS 10.217.80.0/24|/0 === 192.168.0.0/24|/0
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received AUTH_LIFETIME of 311039045s, reauthentication already scheduled in 85445s</con5|316>
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
    Sep 28 10:09:58 charon 12[IKE] <con5|316>nothing to initiate</con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con1000|315></con1000|315></con1000|315></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316>

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy