Pfsense 2.4.x to USG ipsec issues



  • Trying to tackle this from both sides (im using tunnels, not VTI)

    I am able to get the initial site to site working, but after about an hour I will lose the ipsec connection (the phase 2 drops but phase 1 stays up) until I reboot the ipsec service on the pfsense (or on the USG side). Currently running 2.4.4.a.20180902.2216

    If I look up the ipsec status on the pfsense I can see phase 1 established but after an hour, I see phase 2 drop off.

    On the USG side:

    running strongSwan 5.2.2

    Sep 4 06:25:13 16[KNL] creating acquire job for policy 10.100.200.1/32[udp/46118] === 172.16.44.31/32[udp/syslog] with reqid {1}
    Sep 4 06:25:13 15[IKE] <peer-x.x.x.57-tunnel-0|3> establishing CHILD_SA peer-x.x.x.57-tunnel-0{1}
    Sep 4 06:27:58 03[KNL] creating delete job for ESP CHILD_SA with SPI cc4d3605 and reqid {1}

    From the USG side, rekeying is having issues

    09[KNL] creating rekey job for ESP CHILD_SA with SPI c9e601a9 and reqid {1}
    09[IKE] establishing CHILD_SA peer-x.x.x.57-tunnel-0{1}
    09[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
    09[NET] sending packet: from x.x.x..179[500] to x.x.x.57[500] (204 bytes)
    03[NET] received packet: from x.x.x.57[500] to x.x.x..179[500] (76 bytes)
    03[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
    03[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
    03[IKE] failed to establish CHILD_SA, keeping IKE_SA

    PFsense side:

    Waiting for the phase2 to drop off again and will post here

    I am looking for advice on where to go next when it comes to troubleshooting this phase 2 issue between the pfsense box and USG



  • https://www.synology.com/en-us/knowledgebase/SRM/tutorial/VPN/How_to_set_up_Site_to_Site_VPN_between_Synology_Router_and_UniFi_SG

    Based on the article above, the settings below seem to be stable on both sides so far

    Phase 1:
    Encryption: AES128
    Authentication: SHA1
    Key life: 14400
    DH Group: 14 (modp 2048)
    DPD (Dead Peer Detection): disable

    Phase 2:
    Encryption: AES128
    Authentication: SHA1
    Key life: 14400
    DH Group: 14 (modp 2048)

    The only thing on the USG side is selecting Enable Perfect Forward Secrecy (PFS) checkbox.

    Update

    Been up for 19 hours solid