Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec with watchguard

    IPsec
    2
    2
    1062
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bernikm
      last edited by

      Hi

      We have configured IPSec Site-Site VPN between pfsense and WatchGuard appliance.
      Lifetime for Phase 1 is set to 8 hours.
      VPN works great, but the problem is that pfsense doesn't closes idle sessions (when it reaches 8 hours) and it automatically open new one.
      WG purges disconnected 'sessions' after 5 disconnected idle 'sessions' but pfsense doesn't.
      So we have a problem, after 1 week of IPSec connection, pfsense had many 'closed' sessions and IPSec stops working. We rebooted pfSense and IPsec starts working again, it also purges closed sessions.
      So it seems to me, that pfsense doesn't purge 'idle' sessions, and after it reaches some maximum it denies new IPSec connection to main office.
      How can the be solved - can we set maximum 'idle' sessions so that pfsense will discard them after 5 of them, like WG appliance is doing this ?

      This is the log I'm getting on pfsense

      Apr 11 14:25:25 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
      Apr 11 14:25:25 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
      Apr 11 14:25:22 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
      Apr 11 14:25:12 last message repeated 2 times
      Apr 11 14:24:52 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
      Apr 11 14:24:52 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
      Apr 11 14:24:39 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
      Apr 11 14:24:29 last message repeated 2 times
      Apr 11 14:24:09 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
      Apr 11 14:24:09 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
      Apr 11 14:24:05 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
      Apr 11 14:23:56 last message repeated 2 times
      Apr 11 14:23:35 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
      Apr 11 14:23:35 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
      Apr 11 14:23:21 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
      Apr 11 14:23:11 last message repeated 2 times
      Apr 11 14:22:51 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
      Apr 11 14:22:51 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
      Apr 11 14:22:35 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
      Apr 11 14:22:25 last message repeated 2 times
      Apr 11 14:22:05 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
      Apr 11 14:22:05 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
      Apr 11 14:21:53 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
      Apr 11 14:21:43 last message repeated 2 times

      racoon: ERROR: pfkey DELETE received: ESP 213.147.104.122[500]->193.41.36.115[500] spi=827365568(0x315098c0)

      Thank you in advance for help

      1 Reply Last reply Reply Quote 0
      • Z
        Zirc75
        last edited by

        Hi,

        I have the same scenario, but my IPSEC tunnel is not working, bernikm can you help me posting your config?

        Thanks

        1 Reply Last reply Reply Quote 0
        • First post
          Last post