Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec ikev 2 mobile, disconnetcs after 7:45 -- 8 hours - Windows 10 client

    IPsec
    3
    12
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ
      jimp Rebel Alliance Developer Netgate
      last edited by

      What shows up in the IPsec log on pfSense when the client disconnects?

      It sounds like a client-side problem to me, though. You might want to post about it on a Windows-focused forum of some kind instead.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      M 1 Reply Last reply Reply Quote 0
      • A
        Alitai
        last edited by Alitai

        Could it be this one (Phase 2 lifetime)?

        https://forum.netgate.com/topic/139727/ikev2-ipsec-d%C3%A9connect%C3%A9-apr%C3%A8s-60min/2

        1 Reply Last reply Reply Quote 0
        • M
          mikeroygbiv @jimp
          last edited by mikeroygbiv

          @jimp Thanks fo answer!
          this is my log
          I deleted a lot of extra lines vici with content

          "May 7 18:41:27 charon 08[CFG] vici client 200 connected
          May 7 18:41:27 charon 11[CFG] vici client 200 registered for: list-sa
          May 7 18:41:27 charon 07[CFG] vici client 200 requests: list-sas"
          so that the log is a little less

          I deleted a lot of extra lines with content
          so that the log is a little less
          in the settings of phase_1, Disable Rekey and the tunnel lifetime are set to 24 hours (n

          other settings of phase_1 are set by default
          in phase_2 Rekey is by default 3600 sec

          I deleted the middle of the log
          left only the beginning and end of the log

          (not fit here all, and right)

          username who connected is TESTUSER_DOMAIN

          MY7 12:11:00 ch 10[NET] <1> received packet: from CLNT_IP_ADRS-YY[500] to SRV_IP_ADDR[500] (604 bytes)
          MY7 12:11:00 ch 10[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V ]
          MY7 12:11:00 ch 10[CFG] <1> looking for an IKEv2 config for SRV_IP_ADDR...CLNT_IP_ADRS-YY
          MY7 12:11:00 ch 10[CFG] <1> candidate: %any...%any, prio 24
          MY7 12:11:00 ch 10[CFG] <1> candidate: SRV_IP_ADDR...%any, prio 1052
          MY7 12:11:00 ch 10[CFG] <1> found matching ike config: SRV_IP_ADDR...%any with prio 1052
          MY7 12:11:00 ch 10[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
          MY7 12:11:00 ch 10[IKE] <1> received MS-Negotiation Discovery Capable vendor ID
          MY7 12:11:00 ch 10[ENC] <1> received unknown vendor ID:
          MY7 12:11:00 ch 10[IKE] <1> CLNT_IP_ADRS-YY is initiating an IKE_SA
          MY7 12:11:00 ch 10[IKE] <1> IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
          MY7 12:11:00 ch 10[CFG] <1> selecting proposal:
          MY7 12:11:00 ch 10[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
          MY7 12:11:00 ch 10[CFG] <1> selecting proposal:
          MY7 12:11:00 ch 10[CFG] <1> no acceptable INTEGRITY_ALGORITHM found
          MY7 12:11:00 ch 10[CFG] <1> selecting proposal:
          MY7 12:11:00 ch 10[CFG] <1> no acceptable ENCRYPTION_ALGORITHM found
          MY7 12:11:00 ch 10[CFG] <1> selecting proposal:
          MY7 12:11:00 ch 10[CFG] <1> proposal matches
          MY7 12:11:00 ch 10[CFG] <1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
          MY7 12:11:00 ch 10[CFG] <1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
          MY7 12:11:00 ch 10[CFG] <1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
          MY7 12:11:00 ch 10[IKE] <1> remote host is behind NAT
          MY7 12:11:00 ch 10[IKE] <1> sending cert request for "DC=ru, DC=TSTDOM, CN=TSTDOM-SRV-ADX-CA"
          MY7 12:11:00 ch 10[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
          MY7 12:11:00 ch 10[NET] <1> sending packet: from SRV_IP_ADDR[500] to CLNT_IP_ADRS-YY[500] (353 bytes)
          MY7 12:11:00 ch 10[NET] <1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDR[4500] (580 bytes)
          MY7 12:11:00 ch 10[ENC] <1> parsed IKE_AUTH request 1 [ EF(1/3) ]
          MY7 12:11:00 ch 10[ENC] <1> received fragment #1 of 3, waiting for complete IKE message
          MY7 12:11:00 ch 10[NET] <1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDR[4500] (580 bytes)
          MY7 12:11:00 ch 10[ENC] <1> parsed IKE_AUTH request 1 [ EF(2/3) ]
          MY7 12:11:00 ch 10[ENC] <1> received fragment #2 of 3, waiting for complete IKE message
          MY7 12:11:00 ch 10[NET] <1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDR[4500] (148 bytes)
          MY7 12:11:00 ch 10[ENC] <1> parsed IKE_AUTH request 1 [ EF(3/3) ]
          MY7 12:11:00 ch 10[ENC] <1> received fragment #3 of 3, reassembled fragmented IKE message (1136 bytes)
          MY7 12:11:00 ch 10[ENC] <1> parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
          MY7 12:11:00 ch 10[IKE] <1> received cert request for "DC=ru, DC=TSTDOM, CN=TSTDOM-SRV-ADX-CA"

          MY7 12:11:00 ch 10[IKE] <1> received 39 cert requests for an unknown ca
          MY7 12:11:00 ch 10[CFG] <1> looking for peer configs matching SRV_IP_ADDR[%any]...CLNT_IP_ADRS-YY[192.168.1.99]
          MY7 12:11:00 ch 10[CFG] <1> candidate "bypasslan", match: 1/1/24 (me/other/ike)
          MY7 12:11:00 ch 10[CFG] <1> candidate "cn-mble", match: 1/1/1052 (me/other/ike)
          MY7 12:11:00 ch 10[CFG] <1> ignore candidate 'bypasslan' without matching IKE proposal
          MY7 12:11:00 ch 10[CFG] <cn-mble|1> selected peer config 'cn-mble'
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> initiating EAP_IDENTITY method (id 0x00)
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> processing INTERNAL_IP4_ADDRESS attribute
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> processing INTERNAL_IP4_DNS attribute
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> processing INTERNAL_IP4_NBNS attribute
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> processing INTERNAL_IP4_SERVER attribute
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> peer supports MOBIKE
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> authentication of 'mail.TSTDOM.ru' (myself) with RSA signature successful
          MY7 12:11:00 ch 10[IKE] <cn-mble|1> sending end entity cert "C=RU, ST=Moscow, L=Moscow, O=TSTDOM, OU=it, CN=vpn.wrong_domain"
          MY7 12:11:00 ch 10[ENC] <cn-mble|1> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
          MY7 12:11:00 ch 10[ENC] <cn-mble|1> splitting IKE message (1936 bytes) into 2 fragments
          MY7 12:11:00 ch 10[ENC] <cn-mble|1> generating IKE_AUTH response 1 [ EF(1/2) ]
          MY7 12:11:00 ch 10[ENC] <cn-mble|1> generating IKE_AUTH response 1 [ EF(2/2) ]
          MY7 12:11:00 ch 10[NET] <cn-mble|1> sending packet: from SRV_IP_ADDR[4500] to CLNT_IP_ADRS-YY[4500] (1236 bytes)
          MY7 12:11:00 ch 10[NET] <cn-mble|1> sending packet: from SRV_IP_ADDR[4500] to CLNT_IP_ADRS-YY[4500] (772 bytes)
          MY7 12:11:00 ch 08[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDR[4500] (80 bytes)
          MY7 12:11:00 ch 08[ENC] <cn-mble|1> parsed IKE_AUTH request 2 [ EAP/RES/ID ]
          MY7 12:11:00 ch 08[IKE] <cn-mble|1> received EAP identity 'TESTUSER_DOMAIN'
          MY7 12:11:00 ch 08[CFG] <cn-mble|1> RADIUS server 'radius' is candidate: 210
          MY7 12:11:00 ch 08[CFG] <cn-mble|1> sending RADIUS Access-Request to server 'radius'
          MY7 12:11:00 ch 08[CFG] <cn-mble|1> received RADIUS Access-Challenge from server 'radius'
          MY7 12:11:00 ch 08[IKE] <cn-mble|1> initiating EAP_MSCHAPV2 method (id 0x01)
          MY7 12:11:00 ch 08[ENC] <cn-mble|1> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
          MY7 12:11:00 ch 08[NET] <cn-mble|1> sending packet: from SRV_IP_ADDR[4500] to CLNT_IP_ADRS-YY[4500] (112 bytes)
          MY7 12:11:00 ch 08[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDR[4500] (144 bytes)
          MY7 12:11:00 ch 08[ENC] <cn-mble|1> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
          MY7 12:11:00 ch 08[CFG] <cn-mble|1> sending RADIUS Access-Request to server 'radius'
          MY7 12:11:00 ch 08[CFG] <cn-mble|1> received RADIUS Access-Challenge from server 'radius'
          MY7 12:11:00 ch 08[ENC] <cn-mble|1> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
          MY7 12:11:00 ch 08[NET] <cn-mble|1> sending packet: from SRV_IP_ADDR[4500] to CLNT_IP_ADRS-YY[4500] (128 bytes)
          MY7 12:11:00 ch 09[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDR[4500] (80 bytes)
          MY7 12:11:00 ch 09[ENC] <cn-mble|1> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
          MY7 12:11:00 ch 09[CFG] <cn-mble|1> sending RADIUS Access-Request to server 'radius'
          MY7 12:11:00 ch 09[CFG] <cn-mble|1> received RADIUS Access-Accept from server 'radius'
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> RADIUS authentication of 'TESTUSER_DOMAIN' successful
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> EAP method EAP_MSCHAPV2 succeeded, MSK established
          MY7 12:11:00 ch 09[ENC] <cn-mble|1> generating IKE_AUTH response 4 [ EAP/SUCC ]
          MY7 12:11:00 ch 09[NET] <cn-mble|1> sending packet: from SRV_IP_ADDR[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)
          MY7 12:11:00 ch 09[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDR[4500] (112 bytes)
          MY7 12:11:00 ch 09[ENC] <cn-mble|1> parsed IKE_AUTH request 5 [ AUTH ]
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> authentication of '192.168.1.99' with EAP successful
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> authentication of 'mail.TSTDOM.ru' (myself) with EAP
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> IKE_SA cn-mble[1] established between SRV_IP_ADDR[mail.TSTDOM.ru]...CLNT_IP_ADRS-YY[192.168.1.99]
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> IKE_SA cn-mble[1] state change: CONNECTING => ESTABLISHED
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> peer requested virtual IP %any
          MY7 12:11:00 ch 09[CFG] <cn-mble|1> assigning new lease to 'TESTUSER_DOMAIN'
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> assigning virtual IP 10.80.5.1 to peer 'TESTUSER_DOMAIN'
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> building INTERNAL_IP4_SUBNET attribute
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> building UNITY_DEF_DOMAIN attribute
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> building UNITY_SPLITDNS_NAME attribute
          MY7 12:11:00 ch 09[IKE] <cn-mble|1> building INTERNAL_IP4_DNS attribute
          MY7 12:11:00 ch 09[CFG] <cn-mble|1> looking for a child config for 0.0.0.0/0|/0 ::/0|/0 === 0.0.0.0/0|/0 ::/0|/0
          MY7 12:11:00 ch 09[CFG] <cn-mble|1> proposing traffic selectors for us:

          MY7 19:37:00 ch 05[CFG] vc clnt 822 disconnected
          MY7 19:37:02 ch 11[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (352 bytes)
          MY7 19:37:02 ch 11[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 20 [ N(REKEY_SA) SA No TSi TSr ]
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> selecting proposal:
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> proposal matches
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> received proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_12_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_8_128/NO_EXT_SEQ, ESP:AES_GCM_16_192/NO_EXT_SEQ, ESP:AES_GCM_16_192/NO_EXT_SEQ, ESP:AES_GCM_16_192/NO_EXT_SEQ, ESP:AES_GCM_16_192/NO_EXT_SEQ, ESP:AES_GCM_12_192/NO_EXT_SEQ, ESP:AES_GCM_12_192/NO_EXT_SEQ, ESP:AES_GCM_12_192/NO_EXT_SEQ, ESP:AES_GCM_12_192/NO_EXT_SEQ, ESP:AES_GCM_8_192/NO_EXT_SEQ, ESP:AES_GCM_8_192/NO_EXT_SEQ, ESP:AES_GCM_8_192/NO_EXT_SEQ, ESP:AES_GCM_8_192/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_12_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ, ESP:AES_GCM_8_256/NO_EXT_SEQ
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> selecting traffic selectors for us:
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> config: 10.100.1.0/24|/0, received: 0.0.0.0/0|/0 => match: 10.100.1.0/24|/0
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> config: 10.100.1.0/24|/0, received: ::/0|/0 => no match
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> selecting traffic selectors for other:
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> config: 10.80.5.1/32|/0, received: 0.0.0.0/0|/0 => match: 10.80.5.1/32|/0
          MY7 19:37:02 ch 11[CFG] <cn-mble|1> config: 10.80.5.1/32|/0, received: ::/0|/0 => no match
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> CHILD_SA cn-mble{9} state change: CREATED => INSTALLING
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> using AES_CBC for encryption
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> using HMAC_SHA1_96 for integrity
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> adding inbound ESP SA
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> SPI 0xc0dcd51a, src CLNT_IP_ADRS-YY dst SRV_IP_ADDRS
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> registering outbound ESP SA
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> SPI 0xa9f0bc36, src SRV_IP_ADDRS dst CLNT_IP_ADRS-YY
          MY7 19:37:02 ch 11[IKE] <cn-mble|1> inbound CHILD_SA cn-mble{9} established with SPIs c0dcd51a_i a9f0bc36_o and TS 10.100.1.0/24|/0 === 10.80.5.1/32|/0
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> CHILD_SA cn-mble{9} state change: INSTALLING => INSTALLED
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> CHILD_SA cn-mble{8} state change: INSTALLED => REKEYING
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> CHILD_SA cn-mble{8} state change: REKEYING => REKEYED
          MY7 19:37:02 ch 11[ENC] <cn-mble|1> generating CREATE_CHILD_SA response 20 [ N(ESP_TFC_PAD_N) SA No TSi TSr ]
          MY7 19:37:02 ch 11[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (208 bytes)
          MY7 19:37:02 ch 11[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (80 bytes)
          MY7 19:37:02 ch 11[ENC] <cn-mble|1> parsed INFORMATIONAL request 21 [ D ]
          MY7 19:37:02 ch 11[IKE] <cn-mble|1> received DELETE for ESP CHILD_SA with SPI ca0f503e
          MY7 19:37:02 ch 11[IKE] <cn-mble|1> closing CHILD_SA cn-mble{8} with SPIs ceb7ae5c_i (750246 bytes) ca0f503e_o (1603624 bytes) and TS 10.100.1.0/24|/0 === 10.80.5.1/32|/0
          MY7 19:37:02 ch 11[IKE] <cn-mble|1> sending DELETE for ESP CHILD_SA with SPI ceb7ae5c
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> CHILD_SA cn-mble{8} state change: REKEYED => DELETING
          MY7 19:37:02 ch 11[IKE] <cn-mble|1> CHILD_SA closed
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> CHILD_SA cn-mble{8} state change: DELETING => DELETED
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> adding outbound ESP SA
          MY7 19:37:02 ch 11[CHD] <cn-mble|1> SPI 0xa9f0bc36, src SRV_IP_ADDRS dst CLNT_IP_ADRS-YY
          MY7 19:37:02 ch 11[IKE] <cn-mble|1> outbound CHILD_SA cn-mble{9} established with SPIs c0dcd51a_i a9f0bc36_o and TS 10.100.1.0/24|/0 === 10.80.5.1/32|/0
          MY7 19:37:02 ch 11[ENC] <cn-mble|1> generating INFORMATIONAL response 21 [ D ]
          MY7 19:37:02 ch 11[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)
          MY7 19:37:05 ch 15[CFG] vc clnt 823 connected
          MY7 19:37:05 ch 10[CFG] vc clnt 823 disconnected
          MY7 19:37:07 ch 16[IKE] <cn-mble|1> queueing CHILD_DELETE task
          MY7 19:37:07 ch 16[IKE] <cn-mble|1> activating new tasks
          MY7 19:37:07 ch 16[IKE] <cn-mble|1> activating CHILD_DELETE task
          MY7 19:37:07 ch 16[CHD] <cn-mble|1> CHILD_SA cn-mble{8} state change: DELETED => DESTROYING
          MY7 19:37:07 ch 16[IKE] <cn-mble|1> activating new tasks
          MY7 19:37:07 ch 16[IKE] <cn-mble|1> nothing to initiate
          MY7 19:37:11 ch 16[CFG] vc clnt 824 connected
          MY7 19:37:11 ch 07[CFG] vc clnt 824 registered for: list-sa
          MY7 19:37:11 ch 07[CFG] vc clnt 824 requests: list-sas
          MY7 19:37:11 ch 06[CFG] vc clnt 824 disconnected
          MY7 19:46:55 ch 05[CFG] vc clnt 933 disconnected
          MY7 19:47:00 ch 16[CFG] vc clnt 934 connected
          MY7 19:47:00 ch 07[CFG] vc clnt 934 registered for: list-sa
          MY7 19:47:00 ch 07[CFG] vc clnt 934 requests: list-sas
          MY7 19:47:00 ch 07[CFG] vc clnt 934 disconnected
          MY7 19:47:01 ch 10[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (580 bytes)
          MY7 19:47:01 ch 10[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(1/2) ]
          MY7 19:47:01 ch 10[ENC] <cn-mble|1> received fragment #1 of 2, waiting for complete IKE message
          MY7 19:47:01 ch 09[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (84 bytes)
          MY7 19:47:01 ch 09[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(2/2) ]
          MY7 19:47:01 ch 09[ENC] <cn-mble|1> received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
          MY7 19:47:01 ch 09[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ SA KE No N(FRAG_SUP) ]
          MY7 19:47:01 ch 09[IKE] <cn-mble|1> CLNT_IP_ADRS-YY is initiating an IKE_SA
          MY7 19:47:01 ch 09[IKE] <cn-mble|1> IKE_SA cn-mble[2] state change: CREATED => CONNECTING
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> selecting proposal:
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> no acceptable ENCRYPTION_ALGORITHM found
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> selecting proposal:
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> no acceptable INTEGRITY_ALGORITHM found
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> selecting proposal:
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> no acceptable ENCRYPTION_ALGORITHM found
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> selecting proposal:
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> proposal matches
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
          MY7 19:47:01 ch 09[CFG] <cn-mble|1> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
          MY7 19:47:01 ch 09[IKE] <cn-mble|1> IKE_SA cn-mble[2] state change: CONNECTING => ESTABLISHED
          MY7 19:47:01 ch 09[IKE] <cn-mble|1> IKE_SA cn-mble[2] rekeyed between SRV_IP_ADDRS[mail.TSTDOM.ru]...CLNT_IP_ADRS-YY[192.168.1.99]
          MY7 19:47:01 ch 09[IKE] <cn-mble|1> IKE_SA cn-mble[1] state change: ESTABLISHED => REKEYED
          MY7 19:47:01 ch 09[ENC] <cn-mble|1> generating CREATE_CHILD_SA response 22 [ SA No KE ]
          MY7 19:47:01 ch 09[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (304 bytes)
          MY7 19:47:02 ch 09[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (580 bytes)
          MY7 19:47:02 ch 09[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(1/2) ]
          MY7 19:47:02 ch 09[ENC] <cn-mble|1> received fragment #1 of 2, waiting for complete IKE message
          MY7 19:47:02 ch 10[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (84 bytes)
          MY7 19:47:02 ch 10[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(2/2) ]
          MY7 19:47:02 ch 10[ENC] <cn-mble|1> received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
          MY7 19:47:02 ch 10[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ SA KE No N(FRAG_SUP) ]
          MY7 19:47:02 ch 10[IKE] <cn-mble|1> received retransmit of request with ID 22, retransmitting response
          MY7 19:47:02 ch 10[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (304 bytes)
          MY7 19:47:03 ch 10[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (580 bytes)
          MY7 19:47:03 ch 10[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(1/2) ]
          MY7 19:47:03 ch 10[ENC] <cn-mble|1> received fragment #1 of 2, waiting for complete IKE message
          MY7 19:47:03 ch 09[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (84 bytes)
          MY7 19:47:03 ch 09[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(2/2) ]
          MY7 19:47:03 ch 09[ENC] <cn-mble|1> received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
          MY7 19:47:03 ch 09[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ SA KE No N(FRAG_SUP) ]
          MY7 19:47:03 ch 09[IKE] <cn-mble|1> received retransmit of request with ID 22, retransmitting response
          MY7 19:47:03 ch 09[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (304 bytes)
          MY7 19:47:05 ch 10[CFG] vc clnt 935 connected
          MY7 19:47:05 ch 15[CFG] vc clnt 935 disconnected
          MY7 19:47:06 ch 08[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (580 bytes)
          MY7 19:47:06 ch 08[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(1/2) ]
          MY7 19:47:06 ch 08[ENC] <cn-mble|1> received fragment #1 of 2, waiting for complete IKE message
          MY7 19:47:06 ch 05[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (84 bytes)
          MY7 19:47:06 ch 05[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(2/2) ]
          MY7 19:47:06 ch 05[ENC] <cn-mble|1> received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
          MY7 19:47:06 ch 05[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ SA KE No N(FRAG_SUP) ]
          MY7 19:47:06 ch 05[IKE] <cn-mble|1> received retransmit of request with ID 22, retransmitting response
          MY7 19:47:06 ch 05[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (304 bytes)
          MY7 19:47:11 ch 08[CFG] vc clnt 936 connected
          MY7 19:47:11 ch 08[CFG] vc clnt 936 disconnected
          MY7 19:47:13 ch 16[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (580 bytes)
          MY7 19:47:13 ch 16[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(1/2) ]
          MY7 19:47:13 ch 16[ENC] <cn-mble|1> received fragment #1 of 2, waiting for complete IKE message
          MY7 19:47:13 ch 07[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (84 bytes)
          MY7 19:47:13 ch 07[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(2/2) ]
          MY7 19:47:13 ch 07[ENC] <cn-mble|1> received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
          MY7 19:47:13 ch 07[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ SA KE No N(FRAG_SUP) ]
          MY7 19:47:13 ch 07[IKE] <cn-mble|1> received retransmit of request with ID 22, retransmitting response
          MY7 19:47:13 ch 07[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (304 bytes)
          MY7 19:47:16 ch 16[CFG] vc clnt 937 connected
          MY7 19:47:22 ch 05[IKE] <cn-mble|1> sending DPD request
          MY7 19:47:22 ch 05[IKE] <cn-mble|1> queueing IKE_DPD task
          MY7 19:47:22 ch 05[IKE] <cn-mble|1> activating new tasks
          MY7 19:47:22 ch 05[IKE] <cn-mble|1> nothing to initiate
          MY7 19:47:27 ch 08[CFG] vc clnt 939 connected
          MY7 19:47:27 ch 05[CFG] vc clnt 939 disconnected
          MY7 19:47:27 ch 05[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (580 bytes)
          MY7 19:47:27 ch 05[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(1/2) ]
          MY7 19:47:27 ch 05[ENC] <cn-mble|1> received fragment #1 of 2, waiting for complete IKE message
          MY7 19:47:27 ch 06[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (84 bytes)
          MY7 19:47:27 ch 06[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(2/2) ]
          MY7 19:47:27 ch 06[ENC] <cn-mble|1> received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
          MY7 19:47:27 ch 06[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ SA KE No N(FRAG_SUP) ]
          MY7 19:47:27 ch 06[IKE] <cn-mble|1> received retransmit of request with ID 22, retransmitting response
          MY7 19:47:27 ch 06[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (304 bytes)
          MY7 19:47:32 ch 16[CFG] vc clnt 940 connecteds
          MY7 19:47:32 ch 07[CFG] vc clnt 940 disconnected
          MY7 19:47:37 ch 09[IKE] <cn-mble|1> sending DPD request
          MY7 19:47:37 ch 09[IKE] <cn-mble|1> queueing IKE_DPD task
          MY7 19:47:37 ch 09[IKE] <cn-mble|1> activating new tasks
          MY7 19:47:37 ch 09[IKE] <cn-mble|1> nothing to initiate
          MY7 19:47:37 ch 10[CFG] vc clnt 941 connectedist-sa
          MY7 19:47:43 ch 08[CFG] vc clnt 942 disconnected
          MY7 19:47:47 ch 13[IKE] <cn-mble|1> sending DPD request
          MY7 19:47:47 ch 13[IKE] <cn-mble|1> queueing IKE_DPD task
          MY7 19:47:47 ch 13[IKE] <cn-mble|1> activating new tasks
          MY7 19:47:47 ch 13[IKE] <cn-mble|1> nothing to initiateas
          MY7 19:47:54 ch 11[CFG] vc clnt 944 disconnected
          MY7 19:47:55 ch 14[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (580 bytes)
          MY7 19:47:55 ch 14[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(1/2) ]
          MY7 19:47:55 ch 14[ENC] <cn-mble|1> received fragment #1 of 2, waiting for complete IKE message
          MY7 19:47:55 ch 08[NET] <cn-mble|1> received packet: from CLNT_IP_ADRS-YY[4500] to SRV_IP_ADDRS[4500] (84 bytes)
          MY7 19:47:55 ch 08[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ EF(2/2) ]
          MY7 19:47:55 ch 08[ENC] <cn-mble|1> received fragment #2 of 2, reassembled fragmented IKE message (576 bytes)
          MY7 19:47:55 ch 08[ENC] <cn-mble|1> parsed CREATE_CHILD_SA request 22 [ SA KE No N(FRAG_SUP) ]
          MY7 19:47:55 ch 08[IKE] <cn-mble|1> received retransmit of request with ID 22, retransmitting response
          MY7 19:47:55 ch 08[NET] <cn-mble|1> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (304 bytes)
          MY7 19:47:59 ch 14[CFG] vc clnt 945 connected
          MY7 19:48:05 ch 09[IKE] <cn-mble|1> sending DPD request
          MY7 19:48:05 ch 09[IKE] <cn-mble|1> queueing IKE_DPD task
          MY7 19:48:05 ch 09[IKE] <cn-mble|1> activating new tasks
          MY7 19:48:05 ch 09[IKE] <cn-mble|1> nothing to initiate
          MY7 19:48:15 ch 15[IKE] <cn-mble|1> sending DPD request
          MY7 19:48:15 ch 15[IKE] <cn-mble|1> queueing IKE_DPD task
          MY7 19:48:15 ch 15[IKE] <cn-mble|1> activating new tasks
          MY7 19:48:15 ch 15[IKE] <cn-mble|1> nothing to initiate
          MY7 19:48:25 ch 12[IKE] <cn-mble|1> sending DPD request
          MY7 19:48:25 ch 12[IKE] <cn-mble|1> queueing IKE_DPD task
          MY7 19:48:25 ch 12[IKE] <cn-mble|1> activating new tasks
          MY7 19:48:25 ch 12[IKE] <cn-mble|1> nothing to initiate
          MY7 19:48:26 ch 09[CFG] vc clnt 950 connected
          MY7 19:48:26 ch 12[CFG] vc clnt 950 disconnected
          MY7 19:48:31 ch 15[IKE] <cn-mble|1> destroying IKE_SA in state REKEYED without notification
          MY7 19:48:31 ch 15[IKE] <cn-mble|1> IKE_SA cn-mble[1] state change: REKEYED => DESTROYING
          MY7 19:56:37 ch 06[IKE] <cn-mble|2> sending DPD request
          MY7 19:56:37 ch 06[IKE] <cn-mble|2> queueing IKE_DPD task
          MY7 19:56:37 ch 06[IKE] <cn-mble|2> activating new tasks
          MY7 19:56:37 ch 06[IKE] <cn-mble|2> activating IKE_DPD task
          MY7 19:56:37 ch 06[ENC] <cn-mble|2> generating INFORMATIONAL request 0 [ ]
          MY7 19:56:37 ch 06[NET] <cn-mble|2> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)
          MY7 19:56:39 ch 11[CFG] vc clnt 1042 connected
          MY7 19:56:39 ch 14[CFG] vc clnt 1042 disconnected
          MY7 19:56:41 ch 08[IKE] <cn-mble|2> retransmit 1 of request with message ID 0
          MY7 19:56:41 ch 08[NET] <cn-mble|2> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)
          MY7 19:56:49 ch 16[IKE] <cn-mble|2> retransmit 2 of request with message ID 0
          MY7 19:56:49 ch 16[NET] <cn-mble|2> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)
          MY7 19:56:49 ch 13[CFG] vc clnt 1044 connected
          MY7 19:57:00 ch 15[CFG] vc clnt 1046 disconnected
          MY7 19:57:02 ch 05[IKE] <cn-mble|2> retransmit 3 of request with message ID 0
          MY7 19:57:02 ch 05[NET] <cn-mble|2> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)
          MY7 19:57:25 ch 09[IKE] <cn-mble|2> retransmit 4 of request with message ID 0
          MY7 19:57:25 ch 09[NET] <cn-mble|2> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)sas
          MY7 19:57:27 ch 09[CFG] vc clnt 1051 disconnected
          MY7 19:58:07 ch 08[IKE] <cn-mble|2> retransmit 5 of request with message ID 0
          MY7 19:58:07 ch 08[NET] <cn-mble|2> sending packet: from SRV_IP_ADDRS[4500] to CLNT_IP_ADRS-YY[4500] (80 bytes)
          MY7 19:59:23 ch 13[IKE] <cn-mble|2> giving up after 5 retransmits
          MY7 19:59:23 ch 13[CFG] <cn-mble|2> RADIUS server 'radius' is candidate: 210
          MY7 19:59:23 ch 13[CFG] <cn-mble|2> sending RADIUS Accounting-Request to server 'radius'
          MY7 19:59:23 ch 13[CFG] <cn-mble|2> received RADIUS Accounting-Response from server 'radius'
          MY7 19:59:23 ch 13[IKE] <cn-mble|2> IKE_SA cn-mble[2] state change: ESTABLISHED => DESTROYING
          MY7 19:59:23 ch 13[CHD] <cn-mble|2> CHILD_SA cn-mble{9} state change: INSTALLED => DESTROYING
          MY7 19:59:23 ch 13[CFG] <cn-mble|2> lease 10.80.5.1 by 'TESTUSER_DOMAIN' went offline

          1 Reply Last reply Reply Quote 0
          • M
            mikeroygbiv
            last edited by mikeroygbiv

            I think I found where the problem is growing from.
            In the Windows Firewall settings, in the IPsec tab, these values
            and default algorithms used for IKE

            and most importantly time of life. 480 min = 8 hours

            Capture.PNG

            1 Reply Last reply Reply Quote 0
            • A
              Alitai
              last edited by Alitai

              interesting that disable rekey does not help. I have to test that too. Normally I don't use my VPN connection so long.

              M 1 Reply Last reply Reply Quote 1
              • M
                mikeroygbiv @Alitai
                last edited by mikeroygbiv

                @Alitai yes, as a rule, not everyone needs to be connected to work for so long

                but nevertheless, many do not have time or still want to sit to work
                well, or for someone the uptime of the tunnel is important for more than 8 hours - in my case there are 3D designers - they use network rendering, farms are on the network, and resources (textures, models, that's all, in the same place) put it for the night, for example

                I will put to the test with a large number of minutes of rekey (12 hours) on Windows
                I will test further, maybe there is still a problem in the mismatch of phases_1 and 2 on the client (windows) and on pfsense

                1 Reply Last reply Reply Quote 0
                • A
                  Alitai
                  last edited by

                  I can't confirm. After over 8 hours it's still working. After 7:36 Hours it reestablished the VPN Phase 1 Connection.

                  M 1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    7h36m is 27,360 seconds which is exactly 95% of 28,800 (8 hours) so a rekey does seem likely.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • M
                      mikeroygbiv
                      last edited by mikeroygbiv

                      I understood what the problem was, I solved it, there are no more breaks after 8 hours.! (there is a rekey from windows, but it passes successfully)
                      in Windows by default there were phase_1 algorithms that did not match my Pfsense!:)

                      from GUI, Windows Defender FIrewall with advansed security-Windows Defender Firewall Settings-IPcec Settings, changing the parameters of Phases 1 and 2 do not lead to a positive result, both by algorithms and by the phase life time (Rekeys)

                      solves the issue of adding a registry parameter to the section:
                      HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
                      parameter(DWORD):
                      NegotiateDH2048_AES256
                      value:
                      1
                      other parameters can be set, 1 in my opinion is optimal
                      I give a table with the values ​​of 1 and 2 phases for the registry

                      this parameter in table:

                      71bb4470-c2b7-404f-8ca6-75b234ae29e5-image.png ![alt text](image url)

                      Of course, you can do all this through power-shell, and probably better, but through the registry it will be easier for someone)

                      then create a connection (powershell)
                      in my case it was like this:

                      Add-VpnConnection -Name "TEST" -ServerAddress "vpn.server.com" -TunnelType Ikev2 -EncryptionLevel Required -AuthenticationMethod Eap -SplitTunneling -AllUserConnection -RememberCredential -PassThru

                      successfully connect and look at the parameters of the created SA through a powershell:

                      Get-NetIPsecMainModeSA

                      in my case it looks like this:

                      Name                                : 2
LocalEndpoint                       : 192.168.1.30
RemoteEndpoint                      : XXX.XXX.XXX.XXX
LocalFirstId.Identity               :
LocalFirstId.ImpersonationType      : None
LocalFirstId.AuthenticationMethod   : EAP
LocalFirstId.Flags                  : None
RemoteFirstId.Identity              : vpn.server.com
RemoteFirstId.ImpersonationType     : None
RemoteFirstId.AuthenticationMethod  : Certificate
RemoteFirstId.Flags                 : None
LocalSecondId.Identity              :
LocalSecondId.ImpersonationType     :
LocalSecondId.AuthenticationMethod  :
LocalSecondId.Flags                 :
RemoteSecondId.Identity             :
RemoteSecondId.ImpersonationType    :
RemoteSecondId.AuthenticationMethod :
RemoteSecondId.Flags                :
CipherAlgorithm                     : AES256
HashAlgorithm                       : SHA1
GroupId                             : DH14
KeyModule                           : IkeV2
MaxQMSAs                            : 0
LifetimeSeconds                     : 28800
LocalUdpEncapsulationPort           : 4500
RemoteUdpEncapsulationPort          : 4500
ExtendedFilterId                    : 0

                      LifetimeSeconds                     : 28800

                      I did not find how to change to a smaller or greater side ..
                      this is some kind of system, hard-wired parameter
                      there is no information on it
                      neither registry keys nor power-shell cmdlets, nothing .. (only for Azure IPsec)

                      Well, okay
                      Anyway, after 28800 sec, Rekey is successful and the connection does not break!
                      (this is for the test, I wanted to do less so as not to wait 8 hours)

                      summarizing - you need to be more careful about the parameters and algorithms of 1-2 phases both on the server and on the client so that the phases correspond to each other.

                      and of course, in windows everything is constantly changing from build to version ..
                      in my case, the problem was on Windows 1903
                      further you should test more rigorous algorithms.)

                      to all who answered, thank you very much !!!

                      1 Reply Last reply Reply Quote 0
                      • M
                        mikeroygbiv @Alitai
                        last edited by

                        @Alitai you were right!
                        I needed to check the settings of phase algorithms on windows!

                        1 Reply Last reply Reply Quote 0
                        • M
                          mikeroygbiv
                          last edited by mikeroygbiv

                          here also, earlier here on the forum, @groupers made recommendations, you can also stick to them

                          [https://forum.netgate.com/topic/150670/safe-ikev2-configuration-for-pfsense-and-windows-10-and-macos](link url)

                          although they contradict what I wrote above, (deleting the registry key, and setting up the algorithms through the powershell) the essence is the same = setting the same parameters both on the pfsense and on Windows

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.