Phase 2 stops traffic after 45 minutes



  • Good afternoon all & happy easter,

    I would like to ask the community in order to understand an issue I'm suffering with an IPsec tunnel after upgrading from 2.3.3 to 2.4.4_2 - two boxes on HA.

    The key aspects of the IPsec config I'm running are the next ones:

    • IPsec tunnel stablished from pfSense boxes to Dell Sonicwall
    • Issue starts when upgrading pfSense from 2.3.3 to 2.4.4_2
    • Phase 1 connects two public IP addresses, 3x phase 2 connections against separate hosts on remote side to my HA pfSense boxes, one host on my side.

    The tunnel works well, for 45 minutes approx. - then a ping from a host behind my pfSense stops working to reach a host behind Dell Sonicwall firewall. The interesting thing here is that, after phase 2 rekey process happens on pfSense side, the tunnel starts working again.

    This has led me to reduce phase 2 lifetime as small as possible in order to reduce the connection outage - however, this is only a workaround as I really would like to have an stable connection between two sites (from time to time, the tunnel will fail to pass traffic again, and if the rekey process will be re-run in 5 minutes for example, it will have an outage of 5 minutes until the tunnel starts working again after rekey).

    Can anybody help me understand where do I need to look deeper into? Not sure about it and I would appreciate any help / guidelines.

    Thank you very much in advance,

    David



  • Hi. I am using IPSec IKev2. Recommended lifetime for Phase 1 is 28800 and Phase 2 is 3600. If there is no traffic between 2 sides during this lifetime, then ipsec connection is shown as down, but if a traffic begins, then ipsec connection is shown up.



  • Hi emammdov,

    Thanks for your reply. These are the times that were configured on 2.3.3, now I have configured 1200 for phase 2 (in order to rekey more often).

    However, the tunnel shows up always - I don't see anything wrong on Status -> IPsec, but ping fails after 45 minutes. I have also set up DPD and autoping to the remote host in order to prevent the tunnel going down because of lack of traffic. Stopping the tunnel manually and bringing it up again also works, on the same way as a rekey.

    I have also tried to keep a ping from the remote host to my local one in order to see if the lack of traffic from the other side was the culprit, but no luck again - traffic stops at the same period of time.

    Thanks,

    David



  • @Mathews What do system logs show on both sides when this happens? Everything is okay on the other side? I recommend keep the default lifetimes 28800 for phase 1 and 3600 for phase 2. Does it bring up the tunnel if you ping again the remote side after 45 minutes?

    https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-a-site-to-site-ipsec-vpn.html

    Phase 1 lifetime:
    "The lifetime defines how often the connection will be rekeyed, in seconds. 28800 seconds is a good balance of frequent rekeying without being too aggressive."

    Phase 2 lifetime:
    "The lifetime for which the negotiated keys will be valid. One hour (3600) is a good setting. Do not set this to too high (e.g. more than about a day: 86400) as doing so will give people more time to crack the key. Don’t be over paranoid either; there is no need to set this to 20 minutes either."


Log in to reply