2.0RC1 IPSEC SA (Phase2) Lifetime != Expiration



  • Hi,

    I am having a little problem here:

    I need to link pfsense 2.0 RC1 firewall to Sonicwall box. The link does come up clean, vpn works but then, pfsense box decides to re-negotiate the SA's because "IPsec-SA expired" before end of it's given lifetime is reached. This does not sit well with Sonicwall and the link does out until the Phase1 timeout is reached and link is re-negotiated completely from both sides, then everything works, until same SA issue comes up.

    Looking at the logs I discovered that although lifetime of both Phase 1 and Phase 2 are set to 28800 (8 hours), the pfsense always decides that it is time to re-negotiate the SA (IPsec-SA expired) after about 6 hours 30 minutes. This is also the case if Phase1 timeout is set higher to something like 24 hours, the pfsense will always re-negotiate SA earlier then the given lifetime.

    Why does not pfsense machine comply to the SA lifetime statement?

    Is that a 2.0 bug or some other issue?

    Thanks!



  • Hi,

    Ok, I think I found a reason for problem, better to say two reasons:

    1. The soft lifetime of SA is always 5760 seconds before expiration of hard lifetime of 28800 seconds. This sounds rather step to me, juniper for example sets around 100 seconds as soft offset. Can I somehow adjust this?

    2. When Soft Limit is reached pfsense seems to create new SA but keep old one and since "Prefer older IPsec SAs" is on, traffic flows via old SA until it expires. Unfortunately it looks like Sonicwalls seem to prefer new SAs.



  • I deployed 2.0RC3 myself yesterday for the first time, with a Site-to-Site tunnel to a Sonicwall Pro 2040. After the 2nd or 3rd lifetime expiry, no traffic would go across the tunnel even though the tunnel was up. I have Phase 1 and Phase 2 lifetimes at 28800 just as I have 43 other Sonicwalls connected to this 2040 with no problems for 6 years now. The only way to get it going (again the tunnel WAS up just no traffic) was to restart IPsec then reestablish tunnel manually. I too have noticed that while phase 1 is expiring 8 hours to the second, phase 2 is expiring every 6 hours and 20 minutes (although when it does a negotiates a new Phase 1 it tears down the tunnel and also renegotiates Phase 2.) Why?



  • Hey guys,

    i have the same Lifetime issue with pfsense 2.0RC3
    Have you found any solutions !?!??!
    Why pfsense expires before 28800 sec. lifetime on phase 1.???

    thanks to all
    Stefano



  • I found that it doesn't matter. I have 7 pfsense routers all working perfectly now. I found that I needed to uncheck the 'Prefer Old IPsec SAs'.


Locked