IPSEC - Pfsense to Endian



  • Hi all,

    Need some advise there is something really weird happening with this IPSec connection between my pfsense and our client endian firewall.

    I have beside this another 3 IPSEC connections, two for Azure and one for another pfsense wich works great and never had problems.

    The behavior is has follow: Randomly the traffic between sites drops, and neither we or our client have traffic, note that both Phase1 and Phase2 still up.

    I bold out a AUTH_LIFETIME wich is weird, im receiving a LIFETIME of 311039045s for Phase1? could this be what causes the traffic

    Please Advise,
    Thank You

    This is our configuration:

    Phase 1 Negotiation
    IKE v2
    Auth Mutual PSK
    Negotiation Main
    My Identifier IP Address
    Peer Idenifier IP Address

    Phase 1 Algorithms
    Encryption Algorithm AES - 128 bits
    Hash Algorithm SHA256
    DH Group 5
    Lifetime 86400

    Dead Pear Detection
    Delay 20
    Max Failures 10

    Phase2 Proposals (SA/KEY)
    Protocol ESP
    Encryption Algorithms AES - 128bits
    Hash Algorithms SHA1
    PFS Key Group 5
    Lifetime 3600

    Sep 28 10:09:58 charon 12[KNL] creating acquire job for policy xxx.xxx.xxx.xxx /32|/0 === xxx.xxx.xxx.xxx /32|/0 with reqid {20}
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_VENDOR task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_INIT task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_NATD task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_PRE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CERT_POST task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_CONFIG task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing IKE_AUTH_LIFETIME task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>queueing CHILD_CREATE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_VENDOR task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_INIT task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_NATD task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_PRE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CERT_POST task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_CONFIG task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating CHILD_CREATE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating IKE_AUTH_LIFETIME task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>initiating IKE_SA con5[316] to xxx.xxx.xxx.xxx
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CREATED => CONNECTING
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
    Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (400 bytes)
    Sep 28 10:09:58 charon 12[ENC] <con1000|315>parsed INFORMATIONAL_V1 request 1492175773 [ HASH N(DPD_ACK) ]
    Sep 28 10:09:58 charon 12[IKE] <con1000|315>activating new tasks
    Sep 28 10:09:58 charon 12[IKE] <con1000|315>nothing to initiate
    Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [500] to xxx.xxx.xxx.xxx [500] (437 bytes)
    Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received SIGNATURE_HASH_ALGORITHMS notify
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
    Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
    Sep 28 10:09:58 charon 12[IKE] <con5|316>local host is behind NAT, sending keep alives
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid 93:01:4e:11:d0:ef:13:28:39:da:2f:b0:2c:d6:00:10:4a:af:8c:c0
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received cert request for unknown ca with keyid f2:f1:10:b0:5d:22:e6:b8:15:05:3e:1a:0b:69:35:f8:2e:0e:b9:28
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received 2 cert requests for an unknown ca
    Sep 28 10:09:58 charon 12[IKE] <con5|316>reinitiating already active tasks
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_CERT_PRE task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_AUTH task
    Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' (myself) with pre-shared key
    Sep 28 10:09:58 charon 12[IKE] <con5|316>successfully created shared key MAC
    Sep 28 10:09:58 charon 12[IKE] <con5|316>establishing CHILD_SA con5{20}
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for us:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>10.217.80.0/24|/0
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposing traffic selectors for other:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>192.168.0.0/24|/0
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[ENC] <con5|316>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
    Sep 28 10:09:58 charon 12[NET] <con5|316>sending packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (256 bytes)
    Sep 28 10:09:58 charon 12[NET] <con5|316>received packet: from xxx.xxx.xxx.xxx [4500] to xxx.xxx.xxx.xxx [4500] (224 bytes)
    Sep 28 10:09:58 charon 12[ENC] <con5|316>parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
    Sep 28 10:09:58 charon 12[IKE] <con5|316>authentication of 'xxx.xxx.xxx.xxx ' with pre-shared key successful
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] established between xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]…xxx.xxx.xxx.xxx [xxx.xxx.xxx.xxx ]
    Sep 28 10:09:58 charon 12[IKE] <con5|316>IKE_SA con5[316] state change: CONNECTING => ESTABLISHED
    Sep 28 10:09:58 charon 12[IKE] <con5|316>scheduling reauthentication in 85445s
    Sep 28 10:09:58 charon 12[IKE] <con5|316>maximum IKE_SA lifetime 85985s
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting proposal:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>proposal matches
    Sep 28 10:09:58 charon 12[CFG] <con5|316>received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[CFG] <con5|316>configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for us:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 10.217.80.0/24|/0, received: 10.217.80.0/24|/0 => match: 10.217.80.0/24|/0
    Sep 28 10:09:58 charon 12[CFG] <con5|316>selecting traffic selectors for other:
    Sep 28 10:09:58 charon 12[CFG] <con5|316>config: 192.168.0.0/24|/0, received: 192.168.0.0/24|/0 => match: 192.168.0.0/24|/0
    Sep 28 10:09:58 charon 12[CHD] <con5|316>using AES_CBC for encryption
    Sep 28 10:09:58 charon 12[CHD] <con5|316>using HMAC_SHA1_96 for integrity
    Sep 28 10:09:58 charon 12[CHD] <con5|316>adding inbound ESP SA
    Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc86491ee, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
    Sep 28 10:09:58 charon 12[CHD] <con5|316>adding outbound ESP SA
    Sep 28 10:09:58 charon 12[CHD] <con5|316>SPI 0xc3c4c5d9, src xxx.xxx.xxx.xxx  dst xxx.xxx.xxx.xxx
    Sep 28 10:09:58 charon 12[IKE] <con5|316>CHILD_SA con5{3337} established with SPIs c86491ee_i c3c4c5d9_o and TS 10.217.80.0/24|/0 === 192.168.0.0/24|/0
    Sep 28 10:09:58 charon 12[IKE] <con5|316>received AUTH_LIFETIME of 311039045s, reauthentication already scheduled in 85445s</con5|316>
    Sep 28 10:09:58 charon 12[IKE] <con5|316>activating new tasks
    Sep 28 10:09:58 charon 12[IKE] <con5|316>nothing to initiate</con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con1000|315></con1000|315></con1000|315></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316></con5|316>


Log in to reply