IPSEC lifetime issue
I have searched for the solution to this for several weeks now and I have come up dry. I have 1.2RC2 running on a soekris net5501 embedded platform. Everything works well except when the VPN expires. When the tunnel's lifetime expires the tunnel will not come back up unless I restart(disable/enable) ipsec or reboot the box. The other endpoint is a Cisco 3005 VPN concentrator. There are many tunnels working on the Cisco(including 2 other pfSense tunnels). I have tried changing the Phase1/2 lifetimes but I still get the errors below when the lifetime expires. No other errors in the log. Very strange.
x.x.x.x = Cisco 3005
y.y.y.y = pfSense
Nov 6 05:54:19 racoon: ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
Nov 6 05:53:49 racoon: INFO: IPsec-SA expired: ESP/Tunnel x.x.x.x->y.y.y.y spi=262472347(0xfa5029b)
Nov 6 05:53:49 racoon: INFO: initiate new phase 2 negotiation: y.y.y.y<=>x.x.x.x
Nov 6 05:53:49 racoon: INFO: IPsec-SA expired: ESP/Tunnel y.y.y.y->x.x.x.x spi=1198139406(0x476a280e)
Are there any rules required to be added on the pfSense to make the tunnel renew itself properly? I have tried allowing ANY from my other endpoint(x.x.x.x) to the Wan interface and I have the default lan->any rule enabled. I have searched through the logs for the x.x.x.x ip to show up in error somewhere but the only thing I see are the above logs.
I have found other people have had success by changeing the lifetimes etc. I left it blank initially(28800,28800) and then I tried 86400/86400 and also 28800/86400 but still same thing.
Any thoughts/suggestions I am all ears? I will try anything at this point.
fastcon68 last edited by
I am using 28800/86400 on this build: 1.2-RC3 built on Thu Oct 18 15:19:54 EDT 2007 . I am not having any issues.
heiko last edited by
I´m using 28800/86400 too, without any issues. Please check also your firewall logs for blocked ports, for example UDP 500 from WAN and ESP from wan.
Thanks for the replies!
I have an 'any' port/proto rule that allows all traffic from the cisco ip(x.x.x.x) to the external wan interface on the pfsense. Is there something other than the wan interface that I should allow the traffic to?
Also the VPN was down again over night. I noticed this morning that the Cisco does not have the tunnel listed as active but the pfSense still has it's SAD entries so it thinks the tunnels are still alive.
I solved the problem. There was a troublesome Checkpoint VPN client behind the pfSense that required some tweaking to get working. Those tweaks broke the main IPSEC connection. I removed the rules I had in place for the checkpoint client and all is well.
AndrewBorem last edited by
(I know this is old, but it is exactly the problem I am having.)
I am running pfSense 1.2. Connecting to a Netgear fvs124. The connection works perfectly until the SA times out. Basically, the exact same problem that was described above. A reboot of pfSense takes care of the problem.
Any other suggestions? (checked the firewall logs. UDP 500 and ESP are getting through fine.)
Semi-resolved. Turns out the problem is the netgear firewall. Will be replacing it with pfSense on Satuday. OpenVPN is far superior.