IPSec Road Warrior re-authentication interval



  • Hi,

    I googled, searched the forum - perhaps I don't know the precise terms to search because I came up empty handed.

    I have road warrior up and running between 2.0.1-RELEASE (amd64) and Lion 10.7.3. Xauth authentication, password stored locally - does not ask for password on connect. Everything works fine, except for one very annoying thing: Approx every 45 minutes (sometimes 48 mins, sometimes 1 hour), a window pops up and asks me to re-enter my password. How do I disable this behavior? If I connect, I want to stay connected without entering password until I manually disconnect.

    Thanks!


  • Rebel Alliance Developer Netgate

    You might try increasing the P1/P2 lifetime values to see if that affects it. I'm not sure why it would force you to log back in when it re-keys, but that's the only thing I can think of that's on a timer in the default setup.



  • i have the same exact problem, on the same exact setup – have you been able to solve this annoying issue?

    This is a blocker for using ipsec on mobile client -- i can't ask users to have to re-auth ever 40mins(et al) ... what is this issue? is it a bug?



  • Has anyone made progress with this? Does increasing the lifetime fix it?



  • Changing the lifetime appears to have no effect.

    pfSense 2.0.1
    OS X 10.8.2



  • Does anyone out there have mobile clients working with either iOS or OS X clients which stay connected for long periods of time (rekey correctly)? If so could you post your config.

    Mine is:

    remote anonymous
    {
            ph1id 2;
            exchange_mode aggressive;
            my_identifier address x.x.x.x;
            peers_identifier keyid tag "...";
            ike_frag on;
            generate_policy = unique;
            initial_contact = off;
            nat_traversal = on;
    
            dpd_delay = 10;
            dpd_maxfail = 5;
            support_proxy on;
            proposal_check claim;
            passive on;
    
            proposal
            {
                    authentication_method xauth_psk_server;
                    encryption_algorithm aes 128;
                    hash_algorithm sha1;
                    dh_group 2;
                    lifetime time 28800 secs;
            }
    }
    
    sainfo   anonymous
    {
            remoteid 2;
            encryption_algorithm aes 128;
            authentication_algorithm hmac_sha1;
    
            lifetime time 3600 secs;
            compression_algorithm deflate;
    }
    mode_cfg
    {
            auth_source system;
            group_source system;
            pool_size 253;
            network4 192.168.103.1;
            netmask4 255.255.255.0;
            split_network include x.x.x.x/24;
            dns4 x.x.x.x;
            default_domain "x.x.x";
            split_dns "x.x.x";
            banner "/var/etc/racoon.motd";
            save_passwd on;
    }
    
    


  • hey guys,
    any news about this issue?

    I have the same problem
    pfsense 2.1 Beta0
    OS X clients 10.7.5 and 10.8.1



  • From the reading I've been doing this has to do the way Apple has OS X set up. They require that the IPSec server specify that the client does't need to attempt reauthentication when  rekeying. I'm guessing that a the devs would have to patch racoon to do this, since I don't think it has this functionally by default.


Log in to reply