Pfsense 2.4.x to USG ipsec issues
-
Trying to tackle this from both sides (im using tunnels, not VTI)
I am able to get the initial site to site working, but after about an hour I will lose the ipsec connection (the phase 2 drops but phase 1 stays up) until I reboot the ipsec service on the pfsense (or on the USG side). Currently running 2.4.4.a.20180902.2216
If I look up the ipsec status on the pfsense I can see phase 1 established but after an hour, I see phase 2 drop off.
On the USG side:
running strongSwan 5.2.2
Sep 4 06:25:13 16[KNL] creating acquire job for policy 10.100.200.1/32[udp/46118] === 172.16.44.31/32[udp/syslog] with reqid {1}
Sep 4 06:25:13 15[IKE] <peer-x.x.x.57-tunnel-0|3> establishing CHILD_SA peer-x.x.x.57-tunnel-0{1}
Sep 4 06:27:58 03[KNL] creating delete job for ESP CHILD_SA with SPI cc4d3605 and reqid {1}From the USG side, rekeying is having issues
09[KNL] creating rekey job for ESP CHILD_SA with SPI c9e601a9 and reqid {1}
09[IKE] establishing CHILD_SA peer-x.x.x.57-tunnel-0{1}
09[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) SA No TSi TSr ]
09[NET] sending packet: from x.x.x..179[500] to x.x.x.57[500] (204 bytes)
03[NET] received packet: from x.x.x.57[500] to x.x.x..179[500] (76 bytes)
03[ENC] parsed CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
03[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
03[IKE] failed to establish CHILD_SA, keeping IKE_SAPFsense side:
Waiting for the phase2 to drop off again and will post here
I am looking for advice on where to go next when it comes to troubleshooting this phase 2 issue between the pfsense box and USG
-
https://www.synology.com/en-us/knowledgebase/SRM/tutorial/VPN/How_to_set_up_Site_to_Site_VPN_between_Synology_Router_and_UniFi_SG
Based on the article above, the settings below seem to be stable on both sides so far
Phase 1:
Encryption: AES128
Authentication: SHA1
Key life: 14400
DH Group: 14 (modp 2048)
DPD (Dead Peer Detection): disablePhase 2:
Encryption: AES128
Authentication: SHA1
Key life: 14400
DH Group: 14 (modp 2048)The only thing on the USG side is selecting Enable Perfect Forward Secrecy (PFS) checkbox.
Update
Been up for 19 hours solid