23.01 Keep Alive - Where is it

dalicollins

@tedquade Changing the client settings had no effect. My next test is to change the pfSense IPsec settings. Lifetime to 43200 and Child SA Close Action to default. I am happy if I can get 12 hours instead of 8.

dalicollins

@dalicollins I have come to the conclusion that the disconnect issue is a result of an Algorithm mismatch during the Windows rekeying process. When the client does a connect they are using the algorithms set forth in the Client setup, but when a rekey happens, it is the proposals that raspman delivers. This explains why this issue does not occur when using Windows server VPN because the proposals will always match. I am going on the hunt for what those algorithms are and adding them to phase 1 in pfsense. Also explains why some do not have this issue. They use matching algorithms

tedquade

@dalicollins Thanks for your digging.

Ted Quade

dalicollins

@tedquade
The following authentication and encryption settings during the key exchange (in this priority order) are used by Windows:

SHA1 + AES-CBC-256 + ECP384
SHA1 + AES-CBC-128 + ECP256
SHA1 + AES-CBC-256 + MODP2048
SHA1 + 3DES-CBC + MODP2048
SHA1 + 3DES-CBC + MODP1024

For Phase2 negotiation Windows 10 has the following proposal only:

SHA1 + AES-CBC-128
SHA1 + AES-CBC-256 (Windows 10 1803+)

Notice there are no SHA256 Transforms accepted by Windows
It seems all of these settings are hardcoded in the system as the L2TP/IPsec client which explains why rekeying is an issue.
I added SHA1 + AES256 + MODP2048 (DH14) to Phase 1 and SHA1 and AES256 to Phase 2. I will know in 8 hours if this works

tedquade

@dalicollins I already have those enabled and the connection would drop at around 8 hours.

Ted Quade

dalicollins

@tedquade
My latest test is to use AES256 and SHA1 with pfs2048 as the Windows client. I will see how that goes. I will also try Smart VPN Client.
I am also trying it in OPNsense to see if that fails as well.

dalicollins

@dalicollins
I have results for the disconnect issue. VPN Connections using pfsense disconnected with the Windows client again after 8 hours. When I tried the exact same IPsec settings in OPNsense I had no disconnects with Windows client or DrayTek Smart VPN Client after 20 hours. In fact with DrayTek I could not even get a connection at all with PFsense. So it appears to be an issue with PFsense.

tedquade

@dalicollins Good work. You may want to file a bug report and see what the pfSense folks have to offer.

Ted Quade

dalicollins

@tedquade
In my experience bug reports go nowhere for me because you have to be a programmer to give them the info they require. Easier and quicker to just switch to OPNsense on this firewall. I use both for my users.

tedquade

@dalicollins Sad but true!

There is nothing quite like a tongue lashing from one of the Gurus.

Ted Quade