IPSEC VPN expires



  • I am connected from a pfsense local to adtran remote ipsec vpn. The tunnel works fine, but occasionally it just drops. I was just in the middle of a voip call with my phone registered at the other end. Here is the log. I can fix it by disabling ipsec then enabling it on pfsense.  Log is below. then break where I disabled and re-enabled.

    dpd is 60 sec
    phase 1 lifetime is 28800
    phase 2 is 86400
    1.2.3-RELEASE

    any help would b appreciated.

    Feb 16 13:55:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP/Tunnel RemoteIP[0]->LocalIP[0] spi=221965914(0xd3aee5a)
    Feb 16 13:55:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP LocalIP[0]->RemoteIP[0] spi=2456922388(0x9271a914)
    Feb 16 13:50:25 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP/Tunnel RemoteIP[0]->LocalIP[0] spi=250696917(0xef154d5)
    Feb 16 13:50:25 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP LocalIP[0]->RemoteIP[0] spi=3330406726(0xc681f946)
    Feb 16 13:49:17 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP/Tunnel RemoteIP[0]->LocalIP[0] spi=138765306(0x84563fa)
    Feb 16 13:49:17 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA expired: ESP LocalIP[0]->RemoteIP[0] spi=4054071131(0xf1a4375b)
    Feb 16 07:36:48 racoon: ERROR: unknown Informational exchange received.
    Feb 16 07:36:40 racoon: [Remote1 VPN 172.23.45.0]: INFO: ISAKMP-SA deleted LocalIP[500]-RemoteIP[500] spi:1db161e48763a695:19759caa00737018
    Feb 16 07:36:39 racoon: [Remote1 VPN 172.23.45.0]: INFO: ISAKMP-SA expired LocalIP[500]-RemoteIP[500] spi:1db161e48763a695:19759caa00737018
    Feb 16 07:31:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0] spi=3164224600(0xbc9a3c58)
    Feb 16 07:31:29 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP RemoteIP[0]->LocalIP[0] spi=108807287(0x67c4477)

    disabled and re-enabled vpn

    Feb 16 15:18:58 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0] spi=3614750521(0xd774b739)
    Feb 16 15:18:58 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP RemoteIP[0]->LocalIP[0] spi=167420639(0x9faa2df)
    Feb 16 15:18:58 racoon: WARNING: ignore CONNECTED notification.
    Feb 16 15:18:58 racoon: WARNING: ignore REPLAY-STATUS notification.
    Feb 16 15:18:58 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
    Feb 16 15:18:58 racoon: [Remote1 VPN 172.23.45.0]: INFO: initiate new phase 2 negotiation: LocalIP[0]<=>RemoteIP[0]
    Feb 16 15:18:53 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0] spi=3049770368(0xb5c7cd80)
    Feb 16 15:18:53 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP RemoteIP[0]->LocalIP[0] spi=27119556(0x19dcfc4)
    Feb 16 15:18:53 racoon: WARNING: ignore CONNECTED notification.
    Feb 16 15:18:53 racoon: WARNING: ignore REPLAY-STATUS notification.
    Feb 16 15:18:53 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
    Feb 16 15:18:53 racoon: [Remote1 VPN 172.23.45.0]: INFO: initiate new phase 2 negotiation: LocalIP[0]<=>RemoteIP[0]
    Feb 16 15:18:47 racoon: [Remote1 VPN 172.23.45.0]: INFO: IPsec-SA established: ESP LocalIP[0]->RemoteIP[0]



  • I believe the phase 1 lifetime should be larger than the phase 2 lifetime.  also, have you tried "Prefer old IPsec SAs" under "System: Advanced functions" ?

    Roy…


Log in to reply