IPSEC lifetime issue

sbenninger · Nov 6, 2007, 11:58 AM

Hello Everyone,

I have searched for the solution to this for several weeks now and I have come up dry. I have 1.2RC2 running on a soekris net5501 embedded platform. Everything works well except when the VPN expires. When the tunnel's lifetime expires the tunnel will not come back up unless I restart(disable/enable) ipsec or reboot the box. The other endpoint is a Cisco 3005 VPN concentrator. There are many tunnels working on the Cisco(including 2 other pfSense tunnels). I have tried changing the Phase1/2 lifetimes but I still get the errors below when the lifetime expires. No other errors in the log. Very strange.

x.x.x.x = Cisco 3005
y.y.y.y = pfSense
Nov 6 05:54:19 racoon: ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
Nov 6 05:53:49 racoon: INFO: IPsec-SA expired: ESP/Tunnel x.x.x.x[0]->y.y.y.y[0] spi=262472347(0xfa5029b)
Nov 6 05:53:49 racoon: INFO: initiate new phase 2 negotiation: y.y.y.y[0]<=>x.x.x.x[0]
Nov 6 05:53:49 racoon: INFO: IPsec-SA expired: ESP/Tunnel y.y.y.y[0]->x.x.x.x[0] spi=1198139406(0x476a280e)

Are there any rules required to be added on the pfSense to make the tunnel renew itself properly? I have tried allowing ANY from my other endpoint(x.x.x.x) to the Wan interface and I have the default lan->any rule enabled. I have searched through the logs for the x.x.x.x ip to show up in error somewhere but the only thing I see are the above logs.

I have found other people have had success by changeing the lifetimes etc. I left it blank initially(28800,28800) and then I tried 86400/86400 and also 28800/86400 but still same thing.

Any thoughts/suggestions I am all ears? I will try anything at this point.

Thanks All!!

Scott

fastcon68 · Nov 7, 2007, 1:28 AM

I am using 28800/86400 on this build: 1.2-RC3 built on Thu Oct 18 15:19:54 EDT 2007 . I am not having any issues.
RC

heiko · Nov 7, 2007, 7:44 AM

I´m using 28800/86400 too, without any issues. Please check also your firewall logs for blocked ports, for example UDP 500 from WAN and ESP from wan.

sbenninger · Nov 7, 2007, 11:26 AM

Thanks for the replies!

I have an 'any' port/proto rule that allows all traffic from the cisco ip(x.x.x.x) to the external wan interface on the pfsense. Is there something other than the wan interface that I should allow the traffic to?

Also the VPN was down again over night. I noticed this morning that the Cisco does not have the tunnel listed as active but the pfSense still has it's SAD entries so it thinks the tunnels are still alive.

Thanks again!

Scott

sbenninger · Nov 8, 2007, 7:02 PM

I solved the problem. There was a troublesome Checkpoint VPN client behind the pfSense that required some tweaking to get working. Those tweaks broke the main IPSEC connection. I removed the rules I had in place for the checkpoint client and all is well.

Thanks!!

AndrewBorem · Apr 17, 2008, 3:11 PM

(I know this is old, but it is exactly the problem I am having.)

I am running pfSense 1.2. Connecting to a Netgear fvs124. The connection works perfectly until the SA times out. Basically, the exact same problem that was described above. A reboot of pfSense takes care of the problem.

Any other suggestions? (checked the firewall logs. UDP 500 and ESP are getting through fine.)

EDIT-

Semi-resolved. Turns out the problem is the netgear firewall. Will be replacing it with pfSense on Satuday. OpenVPN is far superior.