Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    23.01 Keep Alive - Where is it

    Scheduled Pinned Locked Moved IPsec
    37 Posts 2 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dalicollins @tedquade
      last edited by

      @tedquade Changing the client settings had no effect. My next test is to change the pfSense IPsec settings. Lifetime to 43200 and Child SA Close Action to default. I am happy if I can get 12 hours instead of 8.

      D 1 Reply Last reply Reply Quote 0
      • D
        dalicollins @dalicollins
        last edited by dalicollins

        @dalicollins I have come to the conclusion that the disconnect issue is a result of an Algorithm mismatch during the Windows rekeying process. When the client does a connect they are using the algorithms set forth in the Client setup, but when a rekey happens, it is the proposals that raspman delivers. This explains why this issue does not occur when using Windows server VPN because the proposals will always match. I am going on the hunt for what those algorithms are and adding them to phase 1 in pfsense. Also explains why some do not have this issue. They use matching algorithms

        T 1 Reply Last reply Reply Quote 1
        • T
          tedquade @dalicollins
          last edited by

          @dalicollins Thanks for your digging.

          Ted Quade

          D 1 Reply Last reply Reply Quote 0
          • D
            dalicollins @tedquade
            last edited by

            @tedquade
            The following authentication and encryption settings during the key exchange (in this priority order) are used by Windows:

            SHA1 + AES-CBC-256 + ECP384
            SHA1 + AES-CBC-128 + ECP256
            SHA1 + AES-CBC-256 + MODP2048
            SHA1 + 3DES-CBC + MODP2048
            SHA1 + 3DES-CBC + MODP1024
            

            For Phase2 negotiation Windows 10 has the following proposal only:

            SHA1 + AES-CBC-128
            SHA1 + AES-CBC-256 (Windows 10 1803+)
            

            Notice there are no SHA256 Transforms accepted by Windows
            It seems all of these settings are hardcoded in the system as the L2TP/IPsec client which explains why rekeying is an issue.
            I added SHA1 + AES256 + MODP2048 (DH14) to Phase 1 and SHA1 and AES256 to Phase 2. I will know in 8 hours if this works

            T 1 Reply Last reply Reply Quote 0
            • T
              tedquade @dalicollins
              last edited by

              @dalicollins I already have those enabled and the connection would drop at around 8 hours.

              Ted Quade

              D 1 Reply Last reply Reply Quote 0
              • D
                dalicollins @tedquade
                last edited by

                @tedquade
                My latest test is to use AES256 and SHA1 with pfs2048 as the Windows client. I will see how that goes. I will also try Smart VPN Client.
                I am also trying it in OPNsense to see if that fails as well.

                D 1 Reply Last reply Reply Quote 0
                • D
                  dalicollins @dalicollins
                  last edited by

                  @dalicollins
                  I have results for the disconnect issue. VPN Connections using pfsense disconnected with the Windows client again after 8 hours. When I tried the exact same IPsec settings in OPNsense I had no disconnects with Windows client or DrayTek Smart VPN Client after 20 hours. In fact with DrayTek I could not even get a connection at all with PFsense. So it appears to be an issue with PFsense.

                  T 1 Reply Last reply Reply Quote 0
                  • T
                    tedquade @dalicollins
                    last edited by

                    @dalicollins Good work. You may want to file a bug report and see what the pfSense folks have to offer.

                    Ted Quade

                    D 1 Reply Last reply Reply Quote 0
                    • D
                      dalicollins @tedquade
                      last edited by

                      @tedquade
                      In my experience bug reports go nowhere for me because you have to be a programmer to give them the info they require. Easier and quicker to just switch to OPNsense on this firewall. I use both for my users.

                      T 1 Reply Last reply Reply Quote 0
                      • T
                        tedquade @dalicollins
                        last edited by

                        @dalicollins Sad but true!

                        There is nothing quite like a tongue lashing from one of the Gurus.

                        Ted Quade

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.