IPSec site-to-site between PFSense and USG rekey issue



  • Hi,

    I have successfuly connected PF Sense 2.4.4 to Unifi Security Gateway PRO (4.4.29.5124212).

    Communication between networks works until 3600 seconds defined in Phase 2 elapse... Then I found this error on IPSec log:

    CHILD_SA ESP /0dxcdbd4bb6/80.211.xxx.xxx not found for rekey.

    Tunnel shows as connected on PFSense, but there is no communication anymore. I have to manually disconnect and connect in PFSense GUI, then it works again for hour.

    Does anyone know what may cause these issues please?

    My settings in PFSense Phase 1 is:

    General Information:

    Key Exchange version: IKEv2
    Internet protocol: IPv4
    Interface: WAN
    Remote gateway: 80.188.xxx.xxx

    Phase 1 Proposal (Authentication):

    Authentication Method: Mutual PSK
    My identifier: my IP adress
    Peer identifier: Peer P adress

    Phase 1 Proposal (Encryption Algorithm):

    Algorithm: AES
    Key length: 256 bits
    Hash: SHA1
    DH Group: 14 (2048 bit)

    Lifetime: 28800

    Advanced options:

    MOBIKE: Disable
    Dead Peer Detection: checked
    Delay: 10
    Max failures: 5

    In Phase 2 is:

    General Information:

    Mode: Tunnel IPv4
    Local Network: Lan Subnet
    NAT/BINAT translation: None
    Remote Network: Network 10.20.11.0/24

    Phase 2 Proposal (SA=Key Exchange):

    Protocol: ESP
    Encryption Algorithms: AES 256 bits
    Hash Algorithms: SHA1
    PFS key group: 14 (2048 bit)
    Lifetime: 3600

    Advanced Configuration:

    Automaticall ping host: 10.20.11.1


    Ubiquiti side:

    Remote Subnets: 10.20.1.0/24
    Route Distance: 10
    Peer IP: 80.211.xxx.xxx
    Local WAN IP: 80.188.xxx.xxx
    Pre-shared key: 15 char key
    IPSec Profile: Customized

    Key Exchange Version: IKEv2
    Encryption: AES-256
    Hash: SHA1
    DH Group: 14
    Enable perfect forward secrecy unchecked
    Dynamic routing unchecked


  • Netgate

    In IKEv2 the initial "Phase 2" tunnel is established using material from the initial IKE establishment.

    When you fail to rekey after the 3600 seconds that likely means you have a mismatch in the Phase 2 settings.

    It looks like you have PFS enabled on the pfSense side and disabled on the ubiquiti side:

    | Enable perfect forward secrecy unchecked

    But it doesn't look like you included the "Phase 2" information from the ubiquiti. Not very familiar with those.



  • It looks stable now.

    Thank you for this. About Unifi phase 2, thats everything what can I config in GUI.

    Here is what I found in config files over SSH:

    left=80.188.xxx.xxx
    right=80.211.xxx.xxx
    leftsubnet=10.20.11.0/24
    rightsubnet=10.20.1.0/24
    ike=aes256-sha1-modp2048!
    keyexchange=ikev2
    reauth=no
    ikelifetime=28800s
    esp=aes256-sha1!
    keylife=3600s
    rekeymargin=540s
    type=tunnel
    compress=no
    authby=secret
    auto=route
    keyingtries=%forever