Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1

    Scheduled Pinned Locked Moved IPsec
    33 Posts 6 Posters 3.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kuschi @CommWest
      last edited by

      @commwest Oops, wasn't me intention.... :-O

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate @CommWest
        last edited by

        @commwest said in IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1:

        (MODP_768) which is almost too weak to be useful

        Entirely my opinion. That's why pfsense on both ends should be the best way and that is what I will do now.
        Thanks a lot anyway!

        It looks like it is trying three other (presumably stronger) PFS groups before reverting to group 1. It would not surprise me if those were 14, 5, 2.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          @kuschi said in IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1:

          Dec 18 00:01:48 charon 09[JOB] <con3000|445> DPD check timed out, enforcing DPD action

          They stop responding to DPD checks for whatever reason. The logs on the other side would need to be checked to see why.

          It could just be intermittent connectivity.

          But, regardless, based on the other logs, it will be down until they initiate.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • K
            kuschi
            last edited by

            Here is the log file from the other side: Fritzbox. Sorry part of it is in German.

            17.12.18 23:59:02 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
            17.12.18 23:58:50 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 12 SA loss
            17.12.18 23:01:46 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
            17.12.18 23:01:44 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection
            17.12.18 22:46:40 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
            17.12.18 22:46:39 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              @kuschi said in IPsec VPN tunnel to a Fritzbox after update to 2.4.4-p1:

              17.12.18 23:59:02 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
              17.12.18 23:58:50 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 12 SA loss
              17.12.18 23:01:46 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
              17.12.18 23:01:44 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection
              17.12.18 22:46:40 VPN-Verbindung zu VPN MCKUSCH [(IP pfsense)] IKE SA: DH14/AES-256/SHA1 IPsec SA: ESP-AES-256/SHA1/LT-3600 wurde erfolgreich hergestellt.
              17.12.18 22:46:39 VPN-Verbindung zu VPN MCKUSCH wurde getrennt. Ursache: 9 Dead Peer Detection

              17.12.18 23:59:02 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
              17.12.18 23:58:50 VPN connection to VPN MCKUSCH has been disconnected. Cause: 12 SA loss
              17.12.18 23:01:46 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
              17.12.18 23:01:44 VPN connection to VPN MCKUSCH has been disconnected. Cause: 9 dead peer detection
              17.12.18 22:46:40 VPN connection to VPN MCKUSCH [(IP pfsense)] IKE SA: DH14 / AES-256 / SHA1 IPsec SA: ESP-AES-256 / SHA1 / LT-3600 was successfully established.
              17.12.18 22:46:39 VPN connection to VPN MCKUSCH has been disconnected. Cause: 9 dead peer detection

              Doesn't tell us much.

              Need the logs from there saying why it is ignoring these:

              Dec 17 23:36:47 charon: 09[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
              Dec 17 23:36:47 charon: 09[IKE] <con1000|593> sending retransmit 5 of request message ID 0, seq 1
              Dec 17 23:36:05 charon: 10[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
              Dec 17 23:36:05 charon: 10[IKE] <con1000|593> sending retransmit 4 of request message ID 0, seq 1
              Dec 17 23:35:42 charon: 10[NET] <con1000|593> sending packet: from 192.12.13.1[500] to 82.110.36.24[500] (176 bytes)
              Dec 17 23:35:42 charon: 10[IKE] <con1000|593> sending retransmit 3 of request message ID 0, seq 1

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              K 1 Reply Last reply Reply Quote 0
              • K
                kuschi @Derelict
                last edited by

                @derelict If someone could tell me where will I find more detailed logs from the Fritzbox....

                1 Reply Last reply Reply Quote 0
                • K
                  kuschi
                  last edited by

                  I had some time to dig into the Fritzbox and found some additional log files:

                  BEGIN SECTION vpn VPN

                  VPN avmike

                  -rw-r--r-- 1 root root 16551 Dec 27 07:32 /var/tmp/ike.log
                  -rw-r--r-- 1 root root 20579 Dec 27 06:22 /var/tmp/ike.old
                  2018-12-27 05:28:24 avmike:wolke_neighbour_renew_sa 1 SAs
                  2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC c7b118c56587c471 RC 00000000 0000 SA flags=
                  2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 SA flags=
                  2018-12-27 05:28:25 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
                  2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 KEY flags=
                  2018-12-27 05:28:25 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 2 waiting
                  2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 KEY flags=
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:187
                  2018-12-27 05:28:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 IDENTIFICATION flags=e
                  2018-12-27 05:28:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC c7b118c56587c471 RC d66c8871d64ba1bd 0000 IDENTIFICATION flags=e
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 1 ready
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 05:28:25 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
                  2018-12-27 05:28:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
                  2018-12-27 05:28:26 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
                  2018-12-27 05:28:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC c7b118c56587c471 RC d66c8871d64ba1bd b79b46b HASH flags=e
                  2018-12-27 05:28:26 avmike:VPN MCKUSCH: Phase 2 ready
                  2018-12-27 05:28:26 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 4750E80D LT: 3600 I/O: IN
                  2018-12-27 05:28:26 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C8CD6F95 LT: 3600 I/O: OUT
                  2018-12-27 05:28:26 avmike:< cb_sa_created(name=VPN MCKUSCH,id=186,...,flags=0x00002101)
                  2018-12-27 05:28:26 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 05:28:26 avmike:VPN MCKUSCH: NO waiting connections
                  2018-12-27 05:28:36 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1520852e HASH flags=e
                  2018-12-27 05:28:36 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1520852e HASH flags=e
                  2018-12-27 05:28:46 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd d8578e17 HASH flags=e
                  2018-12-27 05:28:56 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 2310d460 HASH flags=e
                  2018-12-27 05:29:06 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1ca9e35a HASH flags=e
                  2018-12-27 05:29:16 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 1fcb9fb2 HASH flags=e
                  2018-12-27 05:29:26 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC c7b118c56587c471 RC d66c8871d64ba1bd 4a845476 HASH flags=e
                  2018-12-27 05:34:24 avmike:VPN MCKUSCH: del phase 1 SA 186
                  2018-12-27 05:34:25 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=185,what=7,reason=Lifetime expired)
                  2018-12-27 05:34:25 avmike:FreeIPsecSA: spi=FB204F02 protocol=3 iotype=1
                  2018-12-27 05:34:25 avmike:FreeIPsecSA: spi=C9852197 protocol=3 iotype=2
                  2018-12-27 06:22:25 avmike:wolke_neighbour_renew_sa 1 SAs
                  2018-12-27 06:22:25 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 6872414bef8f5559 RC 00000000 0000 SA flags=
                  2018-12-27 06:22:25 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 6872414bef8f5559 RC 6511773149bee334 0000 SA flags=
                  2018-12-27 06:22:25 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
                  2018-12-27 06:22:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
                  2018-12-27 06:22:25 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
                  2018-12-27 06:22:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 6872414bef8f5559 RC 6511773149bee334 0000 KEY flags=
                  2018-12-27 06:22:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 6872414bef8f5559 RC 6511773149bee334 0000 KEY flags=
                  2018-12-27 06:22:26 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:188
                  2018-12-27 06:22:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 0000 IDENTIFICATION flags=e
                  2018-12-27 06:22:26 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
                  2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 2 waiting
                  2018-12-27 06:22:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 6872414bef8f5559 RC 6511773149bee334 0000 IDENTIFICATION flags=e
                  2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 1 ready
                  2018-12-27 06:22:26 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
                  2018-12-27 06:22:26 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 06:22:26 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
                  2018-12-27 06:22:26 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
                  2018-12-27 06:22:26 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
                  2018-12-27 06:22:27 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 6872414bef8f5559 RC 6511773149bee334 9a91fdf1 HASH flags=e
                  2018-12-27 06:22:27 avmike:VPN MCKUSCH: Phase 2 ready
                  2018-12-27 06:22:27 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 86D44AE1 LT: 3600 I/O: IN
                  2018-12-27 06:22:27 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C2365320 LT: 3600 I/O: OUT
                  2018-12-27 06:22:27 avmike:< cb_sa_created(name=VPN MCKUSCH,id=187,...,flags=0x00002101)
                  2018-12-27 06:22:27 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 06:22:27 avmike:VPN MCKUSCH: NO waiting connections
                  2018-12-27 06:22:37 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 a8fa1dd1 HASH flags=e
                  2018-12-27 06:22:37 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 a8fa1dd1 HASH flags=e
                  2018-12-27 06:22:47 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2b5f8cc7 HASH flags=e
                  2018-12-27 06:22:57 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2549e835 HASH flags=e
                  2018-12-27 06:23:07 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 751f7fab HASH flags=e
                  2018-12-27 06:23:17 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2c07e412 HASH flags=e
                  2018-12-27 06:23:27 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 279a5e57 HASH flags=e
                  2018-12-27 06:28:25 avmike:VPN MCKUSCH: del phase 1 SA 187
                  2018-12-27 06:28:26 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=186,what=7,reason=Lifetime expired)
                  2018-12-27 06:28:26 avmike:FreeIPsecSA: spi=4750E80D protocol=3 iotype=1
                  2018-12-27 06:28:26 avmike:FreeIPsecSA: spi=C8CD6F95 protocol=3 iotype=2
                  2018-12-27 06:55:18 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 6872414bef8f5559 RC 6511773149bee334 2c1e5ef7 HASH flags=e
                  2018-12-27 07:16:26 avmike:wolke_neighbour_renew_sa 1 SAs
                  2018-12-27 07:16:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 928c71fe2ff76662 RC 00000000 0000 SA flags=
                  2018-12-27 07:16:26 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 SA flags=
                  2018-12-27 07:16:26 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
                  2018-12-27 07:16:26 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
                  2018-12-27 07:16:26 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
                  2018-12-27 07:16:26 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
                  2018-12-27 07:16:27 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
                  2018-12-27 07:16:27 avmike:VPN MCKUSCH: Phase 2 waiting
                  2018-12-27 07:16:28 avmike:>r> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
                  2018-12-27 07:16:28 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 KEY flags=
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:189
                  2018-12-27 07:16:29 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 IDENTIFICATION flags=e
                  2018-12-27 07:16:29 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 0000 IDENTIFICATION flags=e
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 1 ready
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: current=(IP pfsense) new=(IP pfsense)
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
                  2018-12-27 07:16:29 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
                  2018-12-27 07:16:29 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
                  2018-12-27 07:16:29 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2bf7fa9 HASH flags=e
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: Phase 2 ready
                  2018-12-27 07:16:29 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: CBD62308 LT: 3600 I/O: IN
                  2018-12-27 07:16:29 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C05403E4 LT: 3600 I/O: OUT
                  2018-12-27 07:16:29 avmike:< cb_sa_created(name=VPN MCKUSCH,id=188,...,flags=0x00002101)
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 07:16:29 avmike:VPN MCKUSCH: NO waiting connections
                  2018-12-27 07:16:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2b4fccd5 HASH flags=e
                  2018-12-27 07:16:40 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 2b4fccd5 HASH flags=e
                  2018-12-27 07:16:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 f64d9069 HASH flags=e
                  2018-12-27 07:17:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 9a87db77 HASH flags=e
                  2018-12-27 07:17:10 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 69880609 HASH flags=e
                  2018-12-27 07:17:20 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 51824bd9 HASH flags=e
                  2018-12-27 07:17:30 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 bf9c6d0f HASH flags=e
                  2018-12-27 07:17:48 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 7a749f0 HASH flags=e
                  2018-12-27 07:17:58 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 65e2e2ed HASH flags=e
                  2018-12-27 07:18:08 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 bf211ecc HASH flags=e
                  2018-12-27 07:18:18 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 96681b4f HASH flags=e
                  2018-12-27 07:18:28 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 f62169fb HASH flags=e
                  2018-12-27 07:22:26 avmike:VPN MCKUSCH: del phase 1 SA 188
                  2018-12-27 07:22:27 avmike:< delete_sa(appl=dsld,cname=VPN MCKUSCH,id=187,what=7,reason=Lifetime expired)
                  2018-12-27 07:22:27 avmike:FreeIPsecSA: spi=86D44AE1 protocol=3 iotype=1
                  2018-12-27 07:22:27 avmike:FreeIPsecSA: spi=C2365320 protocol=3 iotype=2
                  2018-12-27 07:22:50 avmike:< cb_sa_deleted(name=VPN MCKUSCH,id=188,what=3)
                  2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 5812faab HASH flags=e
                  2018-12-27 07:22:50 avmike:FreeIPsecSA: spi=CBD62308 protocol=3 iotype=1
                  2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 498d3042 HASH flags=e
                  2018-12-27 07:22:50 avmike:FreeIPsecSA: spi=C05403E4 protocol=3 iotype=2
                  2018-12-27 07:22:50 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 928c71fe2ff76662 RC 8bac593a23c18ae1 b0282d8d HASH flags=e
                  2018-12-27 07:22:50 avmike:VPN MCKUSCH: del phase 1 SA 189
                  2018-12-27 07:22:55 avmike:< add(appl=dsld,cname=VPN MCKUSCH,localip=(IP Fritzbox), remoteip=255.255.255.255, p1ss=dh14/aes/sha, p2ss=esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs p1mode=2 keepalive_ip=0.0.0.0 flags=0x40001 tunnel no_xauth no_cfgmode no_nat_t no_certsrv_server_auth)
                  2018-12-27 07:22:55 avmike:new neighbour VPN MCKUSCH:
                  2018-12-27 07:22:55 avmike:< create_sa(appl=dsld,cname=VPN MCKUSCH)
                  2018-12-27 07:22:55 avmike:VPN MCKUSCH: Phase 1 starting
                  2018-12-27 07:22:55 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 220 IC 83b4f0f722b753b4 RC 00000000 0000 SA flags=
                  2018-12-27 07:22:55 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
                  2018-12-27 07:22:55 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 116 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 SA flags=
                  2018-12-27 07:22:55 avmike:identity protection mode VPN MCKUSCH: selected lifetime: 3600 sec(no notify)
                  2018-12-27 07:22:55 avmike:VPN MCKUSCH receive VENDOR ID Payload: XAUTH
                  2018-12-27 07:22:55 avmike:VPN MCKUSCH receive VENDOR ID Payload: DPD
                  2018-12-27 07:22:55 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 308 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 KEY flags=
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
                  2018-12-27 07:22:56 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 324 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 KEY flags=
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: add phase 1 SA: DH14/AES-256/SHA1/3600sec id:1
                  2018-12-27 07:22:56 avmike:>>> identity protection mode [(IP pfsense)] VPN MCKUSCH: V1.0 108 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 IDENTIFICATION flags=e
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: Warning: source changed from 0.0.0.0:500 to (IP pfsense):500
                  2018-12-27 07:22:56 avmike:<<< identity protection mode[(IP pfsense)] VPN MCKUSCH: V1.0 76 IC 83b4f0f722b753b4 RC 84484486b407c0a8 0000 IDENTIFICATION flags=e
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 1 ready
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: current=0.0.0.0 new=(IP pfsense)
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: no valid sa, reseting initialcontactdone flag
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: sending initial contact message
                  2018-12-27 07:22:56 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 940ec48 HASH flags=e
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 2 starting (start waiting)
                  2018-12-27 07:22:56 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 508 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
                  2018-12-27 07:22:56 avmike:<<< quickmode[(IP pfsense)] VPN MCKUSCH: V1.0 444 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
                  2018-12-27 07:22:56 avmike:>>> quickmode [(IP pfsense)] VPN MCKUSCH: V1.0 60 IC 83b4f0f722b753b4 RC 84484486b407c0a8 bb9dcb6a HASH flags=e
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: Phase 2 ready
                  2018-12-27 07:22:56 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: 59C898BB LT: 3600 I/O: IN
                  2018-12-27 07:22:56 avmike:NEW Phase 2 SA: ESP-AES-256/SHA1 SPI: C9FC517F LT: 3600 I/O: OUT
                  2018-12-27 07:22:56 avmike:< cb_sa_created(name=VPN MCKUSCH,id=1,...,flags=0x00002101)
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: start waiting connections
                  2018-12-27 07:22:56 avmike:VPN MCKUSCH: NO waiting connections
                  2018-12-27 07:23:07 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 cd4fbd83 HASH flags=e
                  2018-12-27 07:23:07 avmike:>r> infomode [(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 cd4fbd83 HASH flags=e
                  2018-12-27 07:25:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e17cc7d6 HASH flags=e
                  2018-12-27 07:25:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e6b964ba HASH flags=e
                  2018-12-27 07:26:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 4d99e03e HASH flags=e
                  2018-12-27 07:26:16 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 40692e24 HASH flags=e
                  2018-12-27 07:26:26 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 5a1176a4 HASH flags=e
                  2018-12-27 07:26:40 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 e4d053b9 HASH flags=e
                  2018-12-27 07:26:50 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 fc62b165 HASH flags=e
                  2018-12-27 07:27:00 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 5767b485 HASH flags=e
                  2018-12-27 07:27:10 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 15a82a23 HASH flags=e
                  2018-12-27 07:27:20 avmike:<<< infomode[(IP pfsense)] VPN MCKUSCH: V1.0 92 IC 83b4f0f722b753b4 RC 84484486b407c0a8 200be361 HASH flags=e

                  1 Reply Last reply Reply Quote 0
                  • K
                    kuschi
                    last edited by

                    I had another opportunity to test the connections from the side of the Fritzbox and from the side of the pfsense box:

                    • pfsense box shows connection inactive, Fritzbox shows connection active: traffic direction from Fritzbox to pfsense works, e.g. ping / trace route. pfsense box changes status to connection active
                    • pfsense box shows connection inactive, Fritzbox shows connection active: traffic direction from pfsense box to Fritzbox does not work. Traffic times out, ping/ trace route shows no result
                    1 Reply Last reply Reply Quote 0
                    • K
                      kuschi
                      last edited by

                      Any news from anybody regarding this issue? I still have troubles with dropping connections.

                      Thanks,
                      Martin

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        defender110 @kuschi
                        last edited by

                        @kuschi Still no solution? I am on 2.4.5 and the problem persists.

                        K 1 Reply Last reply Reply Quote 0
                        • K
                          kuschi @defender110
                          last edited by

                          @defender110 Still no solution. I am on 2.4.5 too and I, too, still have the same problem. The Fritzbox connects successful but pfSense shows the connection as "inactive" after a while. The clients on the Fritzbox side, however, can still reach their targets on pfSense's side but not the other way round.

                          D 1 Reply Last reply Reply Quote 1
                          • D
                            defender110 @kuschi
                            last edited by

                            @kuschi Thank You! Well...then the Fritz!Box will have to go and be replaced by a pfSense box. Just have to figure out how to make the Fritz do the phone duties behind the pfSense.

                            1 Reply Last reply Reply Quote 0
                            • N
                              NOCling
                              last edited by

                              I got it stable only with Aggressive Mode, Tunel endpoint is a 6490.
                              Otherwise my Tunnel crash after some time and dont com up again.
                              I hope AVM react on the feature request to upgrade the vpn features.

                              Netgate 6100 & Netgate 2100

                              1 Reply Last reply Reply Quote 0
                              • K
                                kuschi
                                last edited by

                                How did you get it stable in Aggressive Mode? Could you please share your config? Thanks!

                                1 Reply Last reply Reply Quote 0
                                • N
                                  NOCling
                                  last edited by NOCling

                                  Phase 1:

                                  IKEv1
                                  IPv4
                                  PSK
                                  Aggressiv
                                  Distinguished name
                                  Distinguished name
                                  PSK Generate by pfSense
                                  AES 256 SHA512 DH2
                                  DPD on

                                  Phase 2:
                                  IPv4
                                  NAT None
                                  ESP
                                  AES 236
                                  SHA1
                                  PFS Key Group 2
                                  Lifetime 3600

                                  However, a new Netgate has been ordered and replace the Fritz shortly.

                                  Netgate 6100 & Netgate 2100

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.