IpSec Issue

Sergio77

Hi all,

this is my first post, so I please you to be patient and sorry for my english... :-)

I installed PfSense 2.5.1-RELEASE (amd64) on a virtual server (VmWare), then I configured an IpSec VPN beetwen my new virtuale firewall and a VmWare Edge Gateway.

The connection is UP&RUNNING for almost one hour, then it seems to disconnect (even if VPN status on PfSense seems to be "good").

Can I Post my log here, hoping someone can help me?

Thanks
Sergio

kiokoman

@sergio77
post the log here,
probably a rekey issue
IKEv2 ? Make before Break under advanced options ?

Sergio77

@kiokoman Log_IpSec.zip

Behind Gateway Edge, the 31.14.137.0/24 is used such as LAN (even if It's wrong...)...

Thanks
Sergio

kiokoman

@sergio77

Apr 22 10:40:29 pfSense charon[88632]: 08[JOB] CHILD_SA ESP/0xc5ad082e/IP_PUB_PFSENSE not found for rekey
Apr 22 10:40:27 pfSense charon[88632]: 08[JOB] CHILD_SA ESP/0xc5ad082e/IP_PUB_PFSENSE not found for rekey
Apr 22 10:40:24 pfSense charon[88632]: 08[NET] <con100000|2> sending packet: from IP_PUB_PFSENSE[500] to IP_PUB_GATEWAYEDGE[500] (80 bytes)
Apr 22 10:40:24 pfSense charon[88632]: 08[ENC] <con100000|2> generating CREATE_CHILD_SA response 173 [ N(NO_PROP) ]
Apr 22 10:40:24 pfSense charon[88632]: 08[CHD] <con100000|2> CHILD_SA con100000{214} state change: CREATED => DESTROYING
Apr 22 10:40:24 pfSense charon[88632]: 08[IKE] <con100000|2> failed to establish CHILD_SA, keeping IKE_SA
Apr 22 10:40:24 pfSense charon[88632]: 08[IKE] <con100000|2> no acceptable proposal found
Apr 22 10:40:24 pfSense charon[88632]: 08[CFG] <con100000|2> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Apr 22 10:40:24 pfSense charon[88632]: 08[CFG] <con100000|2> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Apr 22 10:40:24 pfSense charon[88632]: 08[CFG] <con100000|2> no acceptable DIFFIE_HELLMAN_GROUP found

DH group mismatch ?

Sergio77

@kiokoman

I don't think... the connection is established correctly and It works for an hour... the stop working.

Look screen, please

kiokoman

@sergio77

how about phase2 -> PFS key group ?

Sergio77

@kiokoman

That's It!
But I say, the tunnel is UP for 1 hour (more or less)... Schermata 2021-04-23 alle 09.45.49.png

lst_hoe

@sergio77 Maybe this one? https://redmine.pfsense.org/issues/11524
Do you use AES-NI acceleration?

Sergio77

@lst_hoe said in IpSec Issue:

https://redmine.pfsense.org/issues/11524

I don't know it.. how can I check is it's enabled?

lst_hoe

@sergio77 System -> Advanced -> Miscellaneous -> Cryptographic Hardware
Try set this to "None". You should also reboot to get it changed.

kiokoman

@sergio77

That's It!

the problem has been solved?

rekey happens every 54 minutes by default that's why the tunnel is UP for 1 hour (more or less)