Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.0RC1 IPSEC SA (Phase2) Lifetime != Expiration

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      don.key
      last edited by

      Hi,

      I am having a little problem here:

      I need to link pfsense 2.0 RC1 firewall to Sonicwall box. The link does come up clean, vpn works but then, pfsense box decides to re-negotiate the SA's because "IPsec-SA expired" before end of it's given lifetime is reached. This does not sit well with Sonicwall and the link does out until the Phase1 timeout is reached and link is re-negotiated completely from both sides, then everything works, until same SA issue comes up.

      Looking at the logs I discovered that although lifetime of both Phase 1 and Phase 2 are set to 28800 (8 hours), the pfsense always decides that it is time to re-negotiate the SA (IPsec-SA expired) after about 6 hours 30 minutes. This is also the case if Phase1 timeout is set higher to something like 24 hours, the pfsense will always re-negotiate SA earlier then the given lifetime.

      Why does not pfsense machine comply to the SA lifetime statement?

      Is that a 2.0 bug or some other issue?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        don.key
        last edited by

        Hi,

        Ok, I think I found a reason for problem, better to say two reasons:

        1. The soft lifetime of SA is always 5760 seconds before expiration of hard lifetime of 28800 seconds. This sounds rather step to me, juniper for example sets around 100 seconds as soft offset. Can I somehow adjust this?

        2. When Soft Limit is reached pfsense seems to create new SA but keep old one and since "Prefer older IPsec SAs" is on, traffic flows via old SA until it expires. Unfortunately it looks like Sonicwalls seem to prefer new SAs.

        1 Reply Last reply Reply Quote 0
        • F
          fthomasr
          last edited by

          I deployed 2.0RC3 myself yesterday for the first time, with a Site-to-Site tunnel to a Sonicwall Pro 2040. After the 2nd or 3rd lifetime expiry, no traffic would go across the tunnel even though the tunnel was up. I have Phase 1 and Phase 2 lifetimes at 28800 just as I have 43 other Sonicwalls connected to this 2040 with no problems for 6 years now. The only way to get it going (again the tunnel WAS up just no traffic) was to restart IPsec then reestablish tunnel manually. I too have noticed that while phase 1 is expiring 8 hours to the second, phase 2 is expiring every 6 hours and 20 minutes (although when it does a negotiates a new Phase 1 it tears down the tunnel and also renegotiates Phase 2.) Why?

          1 Reply Last reply Reply Quote 0
          • S
            stemond
            last edited by

            Hey guys,

            i have the same Lifetime issue with pfsense 2.0RC3
            Have you found any solutions !?!??!
            Why pfsense expires before 28800 sec. lifetime on phase 1.???

            thanks to all
            Stefano

            1 Reply Last reply Reply Quote 0
            • F
              fthomasr
              last edited by

              I found that it doesn't matter. I have 7 pfsense routers all working perfectly now. I found that I needed to uncheck the 'Prefer Old IPsec SAs'.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.