Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Mobile Client, 2nd time connecting, no net connectivity.

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kristiandg
      last edited by

      Good afternoon all.  First off, yeah yeah I know - I should be using OpenVPN.  But hey, these are devices that only have an IPSec VPN client built into them - so I have no choice but to use IPSec.  ;)

      OK, so this device is an IP phone with the VPN client built in.  It establishes the tunnel and everything works properly.  Now, lets say I pull the power on the phone, or I have an internet hiccup (nooooo, that almost never happens).  All future attempts to connect to the VPN server on PFSense acts like its fine, but there is no network connectivity.  From the logs it looks like the phone isn't responding back to a request the firewall put out right at Phase 2.  However, what ALWAYS fixes it is rebooting the firewall - I just tested and also stopping/starting the IPSec service fixes it too.  Once that happens, I'm good for 1 more connection attempt (and it works) - any loss of that session and I'm screwed until I bounce the service or firewall again.  I've tried using DPD, and made it extremely sensitive (no response in 10 seconds, 2 attempts before drop) - no affect - I've also tried disabling it.  :(

      To do some additional experimentation, I lowered the key lifetime for both phases to 60 seconds.  Turns out, on the good connection, once it expires, it can't refresh.  My good connection was dropped with several of the following errors:
      Sep 5 18:29:36 racoon: ERROR: failed to begin ipsec sa negotication.
      Sep 5 18:29:36 racoon: ERROR: no configuration found for 174.103.158.42 (my IP phone's public address).

      So, I then made the Phase 1 a 28800 lifetime (leaving P2 at 60 seconds).  Now the connection lasts longer than 60 seconds, but the original problem exists (bouncing the peer makes it think it connected but with no passing of data)

      Attached are logs of both a good connection and a failed repeat connection.

      Anyone have any thoughts?  We've been anxiously awaiting the release of PFSense 2.0, specifically for this need (it supported XAUTH and MODE CONFIG which I haven't found in any other decent firewall software (are there any other decent ones - I think not).  ;)

      I'm leaning towards this being a bug, but am not exactly sure how to go about reporting it, and what data is needed, as I'm relatively new to both the forum and the product.

      Thx.

      ![VPN - Good Connection.jpg](/public/imported_attachments/1/VPN - Good Connection.jpg)
      ![VPN - Good Connection.jpg_thumb](/public/imported_attachments/1/VPN - Good Connection.jpg_thumb)
      ![VPN - Failed Connection.jpg](/public/imported_attachments/1/VPN - Failed Connection.jpg)
      ![VPN - Failed Connection.jpg_thumb](/public/imported_attachments/1/VPN - Failed Connection.jpg_thumb)

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        What is your ipsec Policy generation setting?
        Does it work if you set it to unique?

        1 Reply Last reply Reply Quote 0
        • K
          kristiandg
          last edited by

          @ermal:

          What is your ipsec Policy generation setting?
          Does it work if you set it to unique?

          It was on DEFAULT.  I've now switched it to Unique and will test.  What would that setting be for?  And if it would normally be Unique, wouldn't that be the default?  ;)

          As a side-note, I've also noticed that when that mobile connection is in use, the status shows disconnected.  Not sure if its supposed to indicate that someone is using the mobile VPN policy or not, but thought I'd pass that along.

          Thx.

          1 Reply Last reply Reply Quote 0
          • K
            kristiandg
            last edited by

            @kristiandg:

            @ermal:

            What is your ipsec Policy generation setting?
            Does it work if you set it to unique?

            It was on DEFAULT.  I've now switched it to Unique and will test.  What would that setting be for?  And if it would normally be Unique, wouldn't that be the default?  ;)

            As a side-note, I've also noticed that when that mobile connection is in use, the status shows disconnected.  Not sure if its supposed to indicate that someone is using the mobile VPN policy or not, but thought I'd pass that along.

            OK, I've tested (as best I can from remote - I've bounced the phone several times).  Phone tunnels right back in.  Seems to be working great.  You're AWESOME!!!!!

            So, now I am even more curious on the nature of that setting.

            Thx.

            1 Reply Last reply Reply Quote 0
            • K
              kristiandg
              last edited by

              So, can someone shed some light on that setting - what's its value (as I would think you'd always want Unique - thus I would have expected that to be the default).

              Thx.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.