4. Ipsec with watchguard

Ipsec with watchguard

  • B

    Hi

    We have configured IPSec Site-Site VPN between pfsense and WatchGuard appliance.
    Lifetime for Phase 1 is set to 8 hours.
    VPN works great, but the problem is that pfsense doesn't closes idle sessions (when it reaches 8 hours) and it automatically open new one.
    WG purges disconnected 'sessions' after 5 disconnected idle 'sessions' but pfsense doesn't.
    So we have a problem, after 1 week of IPSec connection, pfsense had many 'closed' sessions and IPSec stops working. We rebooted pfSense and IPsec starts working again, it also purges closed sessions.
    So it seems to me, that pfsense doesn't purge 'idle' sessions, and after it reaches some maximum it denies new IPSec connection to main office.
    How can the be solved - can we set maximum 'idle' sessions so that pfsense will discard them after 5 of them, like WG appliance is doing this ?

    This is the log I'm getting on pfsense

    Apr 11 14:25:25 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Apr 11 14:25:25 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
    Apr 11 14:25:22 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
    Apr 11 14:25:12 last message repeated 2 times
    Apr 11 14:24:52 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Apr 11 14:24:52 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
    Apr 11 14:24:39 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
    Apr 11 14:24:29 last message repeated 2 times
    Apr 11 14:24:09 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Apr 11 14:24:09 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
    Apr 11 14:24:05 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
    Apr 11 14:23:56 last message repeated 2 times
    Apr 11 14:23:35 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Apr 11 14:23:35 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
    Apr 11 14:23:21 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
    Apr 11 14:23:11 last message repeated 2 times
    Apr 11 14:22:51 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Apr 11 14:22:51 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
    Apr 11 14:22:35 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
    Apr 11 14:22:25 last message repeated 2 times
    Apr 11 14:22:05 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
    Apr 11 14:22:05 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
    Apr 11 14:21:53 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
    Apr 11 14:21:43 last message repeated 2 times

    racoon: ERROR: pfkey DELETE received: ESP 213.147.104.122[500]->193.41.36.115[500] spi=827365568(0x315098c0)

    Thank you in advance for help

    0
  • Z

    Hi,

    I have the same scenario, but my IPSEC tunnel is not working, bernikm can you help me posting your config?

    Thanks

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy