Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC lifetime issue

    Scheduled Pinned Locked Moved IPsec
    6 Posts 4 Posters 11.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sbenninger
      last edited by

      Hello Everyone,

      I have searched for the solution to this for several weeks now and I have come up dry. I have 1.2RC2 running on a soekris net5501 embedded platform. Everything works well except when the VPN expires. When the tunnel's lifetime expires the tunnel will not come back up unless I restart(disable/enable) ipsec or reboot the box. The other endpoint is a Cisco 3005 VPN concentrator. There are many tunnels working on the Cisco(including 2 other pfSense tunnels). I have tried changing the Phase1/2 lifetimes but I still get the errors below when the lifetime expires. No other errors in the log. Very strange.

      x.x.x.x = Cisco 3005
      y.y.y.y = pfSense
      Nov 6 05:54:19 racoon: ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
      Nov 6 05:53:49 racoon: INFO: IPsec-SA expired: ESP/Tunnel x.x.x.x[0]->y.y.y.y[0] spi=262472347(0xfa5029b)
      Nov 6 05:53:49 racoon: INFO: initiate new phase 2 negotiation: y.y.y.y[0]<=>x.x.x.x[0]
      Nov 6 05:53:49 racoon: INFO: IPsec-SA expired: ESP/Tunnel y.y.y.y[0]->x.x.x.x[0] spi=1198139406(0x476a280e)

      Are there any rules required to be added on the pfSense to make the tunnel renew itself properly? I have tried allowing ANY from my other endpoint(x.x.x.x) to the Wan interface and I have the default lan->any rule enabled. I have searched through the logs for the x.x.x.x ip to show up in error somewhere but the only thing I see are the above logs.

      I have found other people have had success by changeing the lifetimes etc. I left it blank initially(28800,28800) and then I tried 86400/86400 and also 28800/86400 but still same thing.

      Any thoughts/suggestions I am all ears? I will try anything at this point.

      Thanks All!!

      Scott

      1 Reply Last reply Reply Quote 0
      • F
        fastcon68
        last edited by

        I am using 28800/86400 on this build: 1.2-RC3 built on Thu Oct 18 15:19:54 EDT 2007 .    I am not having any issues.
        RC

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          I´m using 28800/86400 too, without any issues. Please check also your firewall logs for blocked ports, for example UDP 500 from WAN and ESP from wan.

          1 Reply Last reply Reply Quote 0
          • S
            sbenninger
            last edited by

            Thanks for the replies!

            I have an 'any' port/proto rule that allows all traffic from the cisco ip(x.x.x.x) to the external wan interface on the pfsense. Is there something other than the wan interface that I should allow the traffic to?

            Also the VPN was down again over night. I noticed this morning that the Cisco does not have the tunnel listed as active but the pfSense still has it's SAD entries so it thinks the tunnels are still alive.

            Thanks again!

            Scott

            1 Reply Last reply Reply Quote 0
            • S
              sbenninger
              last edited by

              I solved the problem. There was a troublesome Checkpoint VPN client behind the pfSense that required some tweaking to get working. Those tweaks broke the main IPSEC connection. I removed the rules I had in place for the checkpoint client and all is well.

              Thanks!!

              1 Reply Last reply Reply Quote 0
              • A
                AndrewBorem
                last edited by

                (I know this is old, but it is exactly the problem I am having.)

                I am running pfSense 1.2.  Connecting to a Netgear fvs124.  The connection works perfectly until the SA times out.  Basically, the exact same problem that was described above.  A reboot of pfSense takes care of the problem.

                Any other suggestions?  (checked the firewall logs.  UDP 500 and ESP are getting through fine.)

                EDIT-

                Semi-resolved.  Turns out the problem is the netgear firewall.  Will be replacing it with pfSense on Satuday.  OpenVPN is far superior.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.