IPSEC - Pfsense to Endian

plouro

Hi all,

Need some advise there is something really weird happening with this IPSec connection between my pfsense and our client endian firewall.

I have beside this another 3 IPSEC connections, two for Azure and one for another pfsense wich works great and never had problems.

The behavior is has follow: Randomly the traffic between sites drops, and neither we or our client have traffic, note that both Phase1 and Phase2 still up.

I bold out a AUTH_LIFETIME wich is weird, im receiving a LIFETIME of 311039045s for Phase1? could this be what causes the traffic

Please Advise,
Thank You

This is our configuration:

Phase 1 Negotiation
IKE v2
Auth Mutual PSK
Negotiation Main
My Identifier IP Address
Peer Idenifier IP Address

Phase 1 Algorithms
Encryption Algorithm AES - 128 bits
Hash Algorithm SHA256
DH Group 5
Lifetime 86400

Dead Pear Detection
Delay 20
Max Failures 10

Phase2 Proposals (SA/KEY)
Protocol ESP
Encryption Algorithms AES - 128bits
Hash Algorithms SHA1
PFS Key Group 5
Lifetime 3600

Sep 28 10:09:58 charon 12[KNL] creating acquire job for policy xxx.xxx.xxx.xxx /32|/0 === xxx.xxx.xxx.xxx /32|/0 with reqid {20}
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_VENDOR task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_INIT task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_NATD task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_PRE task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_POST task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CONFIG task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH_LIFETIME task
Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing CHILD_CREATE task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_VENDOR task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_INIT task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_NATD task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_PRE task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_POST task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CONFIG task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating CHILD_CREATE task
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH_LIFETIME task
Sep 28 10:09:58 charon 12[IKE] <con5|316>initiating IKE_SA con5[316] to xxx.xxx.xxx.xxx
Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CREATED => CONNECTING
Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (400 bytes)
Sep 28 10:09:58 charon 12[ENC] <con1000|315>parsed INFORMATIONAL_V1 request 1492175773 [ HASH N(DPD_ACK) ]
Sep 28 10:09:58 charon 12[IKE] <con1000|315>activating new tasks
Sep 28 10:09:58 charon 12[IKE] <con1000|315>nothing to initiate
Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (437 bytes)
Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Sep 28 10:09:58 charon 12[IKE] <con5|316>received SIGNATURE_HASH_ALGORITHMS notify
Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
Sep 28 10:09:58 charon 12[IKE] <con5|316>local host is behind NAT, sending keep alives
Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid 93:01:4e:11:d0:ef:13:28:39:da:2f:b0:2c:d6:00:10:4a:af:8c:c0
Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid f2:f1:10:b0:5d:22:e6:b8:15:05:3e:1a:0b:69:35:f8:2e:0e:b9:28
Sep 28 10:09:58 charon 12[IKE] <con5|316>received 2 cert requests for an unknown ca
Sep 28 10:09:58 charon 12[IKE] <con5|316>reinitiating already active tasks
Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_CERT_PRE task
Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_AUTH task
Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' (myself) with pre-shared key
Sep 28 10:09:58 charon 12[IKE] <con5|316>successfully created shared key MAC
Sep 28 10:09:58 charon 12[IKE] <con5|316>establishing CHILD_SA con5{20}
Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for us:
Sep 28 10:09:58 charon 12[CFG] <con5|316>10.217.80.0/24|/0
Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for other:
Sep 28 10:09:58 charon 12[CFG] <con5|316>192.168.0.0/24|/0
Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (256 bytes)
Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (224 bytes)
Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' with pre-shared key successful
Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] established between xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]…xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]
Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CONNECTING => ESTABLISHED
Sep 28 10:09:58 charon 12[IKE] <con5|316>scheduling reauthentication in 85445s
Sep 28 10:09:58 charon 12[IKE] <con5|316>maximum IKE_SA lifetime 85985s
Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for us:
Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 10.217.80.0/24|/0, received: 10.217.80.0/24|/0 => match: 10.217.80.0/24|/0
Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for other:
Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 192.168.0.0/24|/0, received: 192.168.0.0/24|/0 => match: 192.168.0.0/24|/0
Sep 28 10:09:58 charon 12[CHD] <con5|316>using AES_CBC for encryption
Sep 28 10:09:58 charon 12[CHD] <con5|316>using HMAC_SHA1_96 for integrity
Sep 28 10:09:58 charon 12[CHD] <con5|316>adding inbound ESP SA
Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc86491ee, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
Sep 28 10:09:58 charon 12[CHD] <con5|316>adding outbound ESP SA
Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc3c4c5d9, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
Sep 28 10:09:58 charon 12[IKE] <con5|316>CHILD_SA con5{3337} established with SPIs c86491ee_i c3c4c5d9_o and TS 10.217.80.0/24|/0 === 192.168.0.0/24|/0
Sep 28 10:09:58 charon 12[IKE] <con5|316>received AUTH_LIFETIME of 311039045s, reauthentication already scheduled in 85445s</con5|316>
Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
Sep 28 10:09:58 charon 12[IKE] <con5|316>nothing to initiate</con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con1000|315></con1000|315></con1000|315></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316>