IPSec site-to-site between PFSense and USG rekey issue
-
Hi,
I have successfuly connected PF Sense 2.4.4 to Unifi Security Gateway PRO (4.4.29.5124212).
Communication between networks works until 3600 seconds defined in Phase 2 elapse... Then I found this error on IPSec log:
CHILD_SA ESP /0dxcdbd4bb6/80.211.xxx.xxx not found for rekey.
Tunnel shows as connected on PFSense, but there is no communication anymore. I have to manually disconnect and connect in PFSense GUI, then it works again for hour.
Does anyone know what may cause these issues please?
My settings in PFSense Phase 1 is:
General Information:
Key Exchange version: IKEv2
Internet protocol: IPv4
Interface: WAN
Remote gateway: 80.188.xxx.xxxPhase 1 Proposal (Authentication):
Authentication Method: Mutual PSK
My identifier: my IP adress
Peer identifier: Peer P adressPhase 1 Proposal (Encryption Algorithm):
Algorithm: AES
Key length: 256 bits
Hash: SHA1
DH Group: 14 (2048 bit)Lifetime: 28800
Advanced options:
MOBIKE: Disable
Dead Peer Detection: checked
Delay: 10
Max failures: 5In Phase 2 is:
General Information:
Mode: Tunnel IPv4
Local Network: Lan Subnet
NAT/BINAT translation: None
Remote Network: Network 10.20.11.0/24Phase 2 Proposal (SA=Key Exchange):
Protocol: ESP
Encryption Algorithms: AES 256 bits
Hash Algorithms: SHA1
PFS key group: 14 (2048 bit)
Lifetime: 3600Advanced Configuration:
Automaticall ping host: 10.20.11.1
Ubiquiti side:
Remote Subnets: 10.20.1.0/24
Route Distance: 10
Peer IP: 80.211.xxx.xxx
Local WAN IP: 80.188.xxx.xxx
Pre-shared key: 15 char key
IPSec Profile: CustomizedKey Exchange Version: IKEv2
Encryption: AES-256
Hash: SHA1
DH Group: 14
Enable perfect forward secrecy unchecked
Dynamic routing unchecked -
In IKEv2 the initial "Phase 2" tunnel is established using material from the initial IKE establishment.
When you fail to rekey after the 3600 seconds that likely means you have a mismatch in the Phase 2 settings.
It looks like you have PFS enabled on the pfSense side and disabled on the ubiquiti side:
| Enable perfect forward secrecy unchecked
But it doesn't look like you included the "Phase 2" information from the ubiquiti. Not very familiar with those.
-
It looks stable now.
Thank you for this. About Unifi phase 2, thats everything what can I config in GUI.
Here is what I found in config files over SSH:
left=80.188.xxx.xxx
right=80.211.xxx.xxx
leftsubnet=10.20.11.0/24
rightsubnet=10.20.1.0/24
ike=aes256-sha1-modp2048!
keyexchange=ikev2
reauth=no
ikelifetime=28800s
esp=aes256-sha1!
keylife=3600s
rekeymargin=540s
type=tunnel
compress=no
authby=secret
auto=route
keyingtries=%forever -
@eragons Hi did you get this working and re-connecting?
I'm experiencing the same issue.
I can see there is a rekey margin - did you add this to pfsense?
-
@timboau-0 Hi, nothing about rekey margin in pf sense. After application of this:
"It looks like you have PFS enabled on the pfSense side and disabled on the ubiquiti side:
| Enable perfect forward secrecy unchecked"It started to work. For sure I have configured script written by John Skinner that pings some devices on Unifi side to ensure vpn is working. If not, it restarts VPN service on pf sense side.
1. In PFSense sudo vi /etc/crontab Insert the following line after the embedded system lines * * * * * root /etc/restart_ipsec.sh OR webGUI >> Diagnostics >> Edit File: /etc/crontab * * * * * root /etc/restart_ipsec.sh (look at look at GUI >> Diagnostics >> Command Prompt: "ps ax | grep mpd") 2. restart cron webGUI >> Diagnostics >> Command Prompt: killall cron ; cron 3. Save this scipt to /etc/restart_ipsec.sh #!/bin/sh # This script was designed to run on pfSense 2.3.x, as a cron job using the "Cron" package, # It will run a command if all three hosts listed fail to reply to pings. # 2017 John at John Skinner dot net # THE PING SECTION # The section below pings three different hosts, once each, # and saves the results for each as separate variables # (number one "1" for sucsessful responce, and zero "0" for failed responce) # In the block below, make sure to edit your local IP address and the host IP addresses for your situation # The local IP address is after the "-S", and the host you want to ping is the second IP address RESULTS1=$(/sbin/ping -c 1 -S 10.20.1.1 10.20.11.116 | /usr/bin/grep icmp | /usr/bin/wc -l) RESULTS2=$(/sbin/ping -c 1 -S 10.20.1.1 10.20.11.21 | /usr/bin/grep icmp | /usr/bin/wc -l) RESULTS3=$(/sbin/ping -c 1 -S 10.20.1.1 10.20.11.117 | /usr/bin/grep icmp | /usr/bin/wc -l) # THE MATH SECTION # This section adds all the results above to a new variable RESULTS4=$(( RESULTS1 + RESULTS2 + $RESULTS3 )) # PING AND MATH TESTING SECTION # Uncomment the line below to test the results of the ping and the math sections #echo $RESULTS4 # (When uncommenting the PING AND MATH TESTING line above, you may want to comment-out all the following lines of this script) # DECIDE TO RUN COMMAND SECTION # Based on the results of the pings and the math, this section decides to either # 1.) send a notification email, write a log, and run the command if all the pings fail, # or # 2.) send a notification email, and write a log, if any of the pings reply. if [ $RESULTS4 -eq 0 ]; then # The line below will write a custom message, with the tag "IPSec", to the local system log /usr/bin/logger -t IPSec "ELTSEN VPN tunnel is down. Restarting IPSec." # The line below will: # 1.) take down a specific IPSec tunnel connection with configuation named "con1000", # 2.) wait 10 seconds, and bring the connection back up (list you connections using the command "ipsec status"), # 3.) email the results of bringing the connection back up, to the email address in SYSTEM -> ADVANCED -> NOTIFICATIONS /usr/local/sbin/ipsec down con1000; sleep 10; /usr/local/sbin/ipsec up con1000 | /usr/local/bin/mail.php -s"Eltsen tunnel is down. Restarting IPSec" else # The lines below will write a custom message to the local system log and send an email notification upon a successful ping reply from any of the hosts. /usr/bin/logger -t IPSec "Eltsen tunnel is up" /bin/echo "Eltsen tunnel is up" | /usr/local/bin/mail.php -s"Eltsen tunnel is up" #fi #```[2017-08-10_ping_test_and-restart_IPSec_tunnel.txt](/public/_imported_attachments_/1/2017-08-10_ping_test_and-restart_IPSec_tunnel.txt)
-
thanks for the update and great looking script! :)
I had disabled PFS on both sides and had the VPN running ok but it appeared to stop passing traffic when the P2 timeout expired after 3600 seconds.
By adding the rekey @ 540 seconds before expiry I 'think' its now stable.
I run approx 25 VPN tunnels from two sites to remote sites and Ive replaced a remote pfsense box with a USG device at one remote site.
From one main site ive had 100% uptime 19 hours to the USG
Strangely the other main has had drops during the same period - 5,56,45 minutes breaks- same IPSEC configuration
(all other IPSECs from that site were ok)
Both main sites pfsense 2.4.3
- same IPSEC configuration