Ipsec with watchguard
-
Hi
We have configured IPSec Site-Site VPN between pfsense and WatchGuard appliance.
Lifetime for Phase 1 is set to 8 hours.
VPN works great, but the problem is that pfsense doesn't closes idle sessions (when it reaches 8 hours) and it automatically open new one.
WG purges disconnected 'sessions' after 5 disconnected idle 'sessions' but pfsense doesn't.
So we have a problem, after 1 week of IPSec connection, pfsense had many 'closed' sessions and IPSec stops working. We rebooted pfSense and IPsec starts working again, it also purges closed sessions.
So it seems to me, that pfsense doesn't purge 'idle' sessions, and after it reaches some maximum it denies new IPSec connection to main office.
How can the be solved - can we set maximum 'idle' sessions so that pfsense will discard them after 5 of them, like WG appliance is doing this ?This is the log I'm getting on pfsense
Apr 11 14:25:25 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Apr 11 14:25:25 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
Apr 11 14:25:22 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
Apr 11 14:25:12 last message repeated 2 times
Apr 11 14:24:52 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Apr 11 14:24:52 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
Apr 11 14:24:39 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
Apr 11 14:24:29 last message repeated 2 times
Apr 11 14:24:09 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Apr 11 14:24:09 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
Apr 11 14:24:05 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
Apr 11 14:23:56 last message repeated 2 times
Apr 11 14:23:35 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Apr 11 14:23:35 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
Apr 11 14:23:21 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
Apr 11 14:23:11 last message repeated 2 times
Apr 11 14:22:51 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Apr 11 14:22:51 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
Apr 11 14:22:35 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
Apr 11 14:22:25 last message repeated 2 times
Apr 11 14:22:05 racoon: ERROR: fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted.
Apr 11 14:22:05 racoon: INFO: initiate new phase 2 negotiation: 213.147.104.122[500]<=>193.41.36.115[500]
Apr 11 14:21:53 racoon: ERROR: 193.41.36.115 give up to get IPsec-SA due to time up to wait.
Apr 11 14:21:43 last message repeated 2 timesracoon: ERROR: pfkey DELETE received: ESP 213.147.104.122[500]->193.41.36.115[500] spi=827365568(0x315098c0)
Thank you in advance for help
-
Hi,
I have the same scenario, but my IPSEC tunnel is not working, bernikm can you help me posting your config?
Thanks