23.01 Keep Alive - Where is it

tedquade

@dalicollins In my test environment, the test W10 machine disconnected at exactly 8 hours run time which is 28800 seconds.

Take a look at VPN/IPsec/Mobile Clients/Edit Phase 1

Scroll down to Expiration and Replacement and note the Life Time value. In my case it is 28800 seconds. Very interesting. Seems Break before Make may be a bit disruptive.

Under Advanced there is a Make before Break setting that I will now try.

Ted Quade

tedquade

@dalicollins It's a problem with the windows client.

Google the following for lots of hits on the matter:

windows ipsec disconnects after 8 hours

Ted Quade

dalicollins

@tedquade said in 23.01 Keep Alive - Where is it:

windows ipsec disconnects after 8 hours

I am using the exact same Windows client as before, The only difference is before I was using L2TP with the Windows VPN server. This seems to be an issue with no fix in sight, so I will have to try another more stable Protocol. I think I will try the PFsense L2TP since that seem to not have issues before. Any thoughts on this?

tedquade

@dalicollins "Any thoughts on this?"

None.

Ted Quade

dalicollins

@dalicollins The majority feel this is a Rekey problem with the Windows client. There was a post that suggested to change the Phase 1 Lifetime to a value less then 7.6 hours. I set mine to 4 hours. I will see what happens.

tedquade

@dalicollins "I will see what happens."

Let us know.

Ted Quade

dalicollins

@tedquade Didn't work. On my test system, the VPN disconnected, but still showed connected in PFsense. Not sure what to try next.

tedquade

@dalicollins I'm not surprised. I encountered this over many years with a range of firewall products (Northern Telecom/Nortel Networks, various ZyXEL, various Ubiquiti, etc. and now pfSense).

One suggestion I seem to recall from the past was to use the StrongSwan client for windows. I never gave it a try but that is all I have to offer you.

Ted Quade

dalicollins

@tedquade I am trying, as suggested in another Netgate post, is to change the Key Lifetimes to 12 hours in the Advanced firewall settings and to match the Security Methods on the client side. 12 hours would work for me. Everything points to a Windows Client rekeying issue. If this doesn't work, I will try another VPN Client which I wanted to avoid because it means I will have to add software to every user. Let you know how it turns out in 9 hours

tedquade

@dalicollins " ...... I wanted to avoid because it means I will have to add software to every user"

That's the reason I never went down that road and besides, you now have to maintain it.

Good Luck!

Ted Quade

dalicollins

@tedquade Changing the client settings had no effect. My next test is to change the pfSense IPsec settings. Lifetime to 43200 and Child SA Close Action to default. I am happy if I can get 12 hours instead of 8.

dalicollins

@dalicollins I have come to the conclusion that the disconnect issue is a result of an Algorithm mismatch during the Windows rekeying process. When the client does a connect they are using the algorithms set forth in the Client setup, but when a rekey happens, it is the proposals that raspman delivers. This explains why this issue does not occur when using Windows server VPN because the proposals will always match. I am going on the hunt for what those algorithms are and adding them to phase 1 in pfsense. Also explains why some do not have this issue. They use matching algorithms

tedquade

@dalicollins Thanks for your digging.

Ted Quade

dalicollins

@tedquade
The following authentication and encryption settings during the key exchange (in this priority order) are used by Windows:

SHA1 + AES-CBC-256 + ECP384
SHA1 + AES-CBC-128 + ECP256
SHA1 + AES-CBC-256 + MODP2048
SHA1 + 3DES-CBC + MODP2048
SHA1 + 3DES-CBC + MODP1024

For Phase2 negotiation Windows 10 has the following proposal only:

SHA1 + AES-CBC-128
SHA1 + AES-CBC-256 (Windows 10 1803+)

Notice there are no SHA256 Transforms accepted by Windows
It seems all of these settings are hardcoded in the system as the L2TP/IPsec client which explains why rekeying is an issue.
I added SHA1 + AES256 + MODP2048 (DH14) to Phase 1 and SHA1 and AES256 to Phase 2. I will know in 8 hours if this works

tedquade

@dalicollins I already have those enabled and the connection would drop at around 8 hours.

Ted Quade

dalicollins

@tedquade
My latest test is to use AES256 and SHA1 with pfs2048 as the Windows client. I will see how that goes. I will also try Smart VPN Client.
I am also trying it in OPNsense to see if that fails as well.

dalicollins

@dalicollins
I have results for the disconnect issue. VPN Connections using pfsense disconnected with the Windows client again after 8 hours. When I tried the exact same IPsec settings in OPNsense I had no disconnects with Windows client or DrayTek Smart VPN Client after 20 hours. In fact with DrayTek I could not even get a connection at all with PFsense. So it appears to be an issue with PFsense.

tedquade

@dalicollins Good work. You may want to file a bug report and see what the pfSense folks have to offer.

Ted Quade

dalicollins

@tedquade
In my experience bug reports go nowhere for me because you have to be a programmer to give them the info they require. Easier and quicker to just switch to OPNsense on this firewall. I use both for my users.

tedquade

@dalicollins Sad but true!

There is nothing quite like a tongue lashing from one of the Gurus.

Ted Quade