Nortel <-> pfSense lifetime problem?

bjorktorp

I have successfully established a tunnel between a Nortel Contivity 1740 and a pfSense 1.2-RC3 embedded on Alix.

Everything looked good. I tested the setup for several hours, no problems. Comfortable with the solution I packed the pfSense and sent it to a branch office some 250km away. Then I realized that I should have tested the setup för more than 14 hours and 30 mins. Because I see in our monitoring platform that the tunnel goes down after 14:25, it is down in 6 hours and 25 mins and then it comes up again. And so it continues…. The polling schedule in the monitoring software adds a lack in precision of about 5 mins, but the pattern is sure there.

I think the problem is to be found in key renegociation. From the beginning I had not entered anything in the lifetime boxes in pfSense. In the Nortel box I found a "Rekey timeout" value of 8 hours. I guessed that the value is a phase2 thing so I added a 28800s lifetime in phase 2 in the pfSense - no difference.

What the logs say:
In the Contivity I see a lot of "tEvtLgMgr 0 : ISAKMP [13] Invalid cookie in message from 81.228.x.y"
and at last "Security [13] Session: IPSEC[ex13982]:262045 No response from client - logging out"

The pfSense log doesn't say anything. Or rather, after six hours, when it is back on line again I see only the most recent entries in the internal log. I have rigged a syslog server on the local net, but IPSEC doesn't seem to send any log entries to the syslog server.

So, wrapping it all up: Given the fact that the Contivity has a "Rekey timeout" of 8 hours, what values would be proper to put in the lifetime boxes in both phase1 and phase2? Or perhaps I am on the wrong track. In that case, can someone put me on the right track, please?

The "Rekey timeout" in the Nortel box is the only time related parameter I have found. There is also a kB parameter, but it is set to 0.

/Roger

ssbaksa

@bjorktorp:

I have successfully established a tunnel between a Nortel Contivity 1740 and a pfSense 1.2-RC3 embedded on Alix.

–snip--

The "Rekey timeout" in the Nortel box is the only time related parameter I have found. There is also a kB parameter, but it is set to 0.

![Nortel phase1and2.JPG](/public/imported_attachments/1/Nortel phase1and2.JPG)
![Nortel phase1and2.JPG_thumb](/public/imported_attachments/1/Nortel phase1and2.JPG_thumb)
![pfsense phase1JPG.JPG](/public/imported_attachments/1/pfsense phase1JPG.JPG)
![pfsense phase1JPG.JPG_thumb](/public/imported_attachments/1/pfsense phase1JPG.JPG_thumb)
![pfsense phase2.JPG](/public/imported_attachments/1/pfsense phase2.JPG)
![pfsense phase2.JPG_thumb](/public/imported_attachments/1/pfsense phase2.JPG_thumb)

bjorktorp

Thanks ssbaksa.

After I have seen your screendump I guess my problem is related to the version of the Contivity software I'm using. It's V5_05.340 and I don't have the configuration options that you have. Which version do you have?

Anyhow, I think your post has helped me a step further.

This is what I can play with:

C1740_IPSEC.JPG_thumb

ssbaksa

@bjorktorp:

Thanks ssbaksa.

After I have seen your screendump I guess my problem is related to the version of the Contivity software I'm using. It's V5_05.340 and I don't have the configuration options that you have. Which version do you have?

Your Contivity is more capable model and diferent then mine. I have 2 221 models and one 222 model. On 221 firmware is:

Model Name : Contivity 221
Nortel Firmware Version: VE221_2.5.0.0.014 | 09/16/2005
Routing Protocols : IP

222 is down for now so I can't say which firmware is on.

I have 2 PDF documents from Nortel whish helped me to establish IpSEC connections with diferent VPN routers/firewalls. If you like to have them, send me you e-mail end I will sed them to you.

Sasa

heiko

First, "no compression" on the nortel and please try phase 1 "28800" and phase 2 "86400".

ssbaksa

@heiko:

First, "no compression" on the nortel and please try phase 1 "28800" and phase 2 "86400".

Why shuld phase 2 last longer than phase 1? Isn't that oposit?