Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.4.x to USG ipsec issues

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 701 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfsenseuser1
      last edited by pfsenseuser1

      Trying to tackle this from both sides (im using tunnels, not VTI)

      I am able to get the initial site to site working, but after about an hour I will lose the ipsec connection (the phase 2 drops but phase 1 stays up) until I reboot the ipsec service on the pfsense (or on the USG side). Currently running 2.4.4.a.20180902.2216

      If I look up the ipsec status on the pfsense I can see phase 1 established but after an hour, I see phase 2 drop off.

      On the USG side:

      running strongSwan 5.2.2

      Sep 4 06:25:13 16[KNL] creating acquire job for policy 10.100.200.1/32[udp/46118] === 172.16.44.31/32[udp/syslog] with reqid {1}
      Sep 4 06:25:13 15[IKE] <peer-x.x.x.57-tunnel-0|3> establishing CHILD_SA peer-x.x.x.57-tunnel-0{1}
      Sep 4 06:27:58 03[KNL] creating delete job for ESP CHILD_SA with SPI cc4d3605 and reqid {1}

      From the USG side, rekeying is having issues

      09[KNL] creating rekey job for ESP CHILD_SA with SPI c9e601a9 and reqid {1}
      09[IKE] establishing CHILD_SA peer-x.x.x.57-tunnel-0{1}
      09[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
      09[NET] sending packet: from x.x.x..179[500] to x.x.x.57[500] (204 bytes)
      03[NET] received packet: from x.x.x.57[500] to x.x.x..179[500] (76 bytes)
      03[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
      03[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
      03[IKE] failed to establish CHILD_SA, keeping IKE_SA

      PFsense side:

      Waiting for the phase2 to drop off again and will post here

      I am looking for advice on where to go next when it comes to troubleshooting this phase 2 issue between the pfsense box and USG

      1 Reply Last reply Reply Quote 0
      • P
        pfsenseuser1
        last edited by pfsenseuser1

        https://www.synology.com/en-us/knowledgebase/SRM/tutorial/VPN/How_to_set_up_Site_to_Site_VPN_between_Synology_Router_and_UniFi_SG

        Based on the article above, the settings below seem to be stable on both sides so far

        Phase 1:
        Encryption: AES128
        Authentication: SHA1
        Key life: 14400
        DH Group: 14 (modp 2048)
        DPD (Dead Peer Detection): disable

        Phase 2:
        Encryption: AES128
        Authentication: SHA1
        Key life: 14400
        DH Group: 14 (modp 2048)

        The only thing on the USG side is selecting Enable Perfect Forward Secrecy (PFS) checkbox.

        Update

        Been up for 19 hours solid

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.