PFSense to Watchguard Site to Site IPSec Unstable



  • Hello Pfsense persons

    I have a site to site XTM800 to pfsense - which is refusing to behave normally:-

    I've checked settings match on both sides - settings are:-

    Phase 1
    Mutual PSK, Main, Policy Gen= default, Proposal Checking = default, 3DES, SHA1, DH2, lifetime 28800

    Phase 2
    ESP, 3DES, SHA1, PFS 2, Lifetime 128000

    Prefer old SA is checked

    However see the logs below - phase 2 is getting renegotiated every 2-10 minutes and when phase 1 expires, the whole tunnel refuses to come back up unless I kick ipsec on the pfsense…

    My questions are - is this renegotation normal and what the duck am I going to try next to get this link stable....?

    I've not been able to reboot these units - but its next on the list.

    Many thanks

    IP addresses redacted - in logs below I kicked ipsec at 14:50-14:51

    Nov 18 14:35:39 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:35:39 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=109914117(0x68d2805)
    Nov 18 14:35:39 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=2061529439(0x7ae0715f)
    Nov 18 14:36:31 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=101884595(0x612a2b3)
    Nov 18 14:36:46 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:36:46 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=266629800(0xfe472a8)
    Nov 18 14:36:46 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=3193486754(0xbe58bda2)
    Nov 18 14:37:10 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=123426912(0x75b5860)
    Nov 18 14:37:51 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=176550910(0xa85f3fe)
    Nov 18 14:38:38 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:38:39 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=56725320(0x3618f48)
    Nov 18 14:38:39 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=3171293728(0xbd061a20)
    Nov 18 14:39:08 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=166482438(0x9ec5206)
    Nov 18 14:39:50 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=205978551(0xc46fbb7)
    Nov 18 14:40:29 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=228176044(0xd99b0ac)
    Nov 18 14:40:34 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:40:34 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=106226611(0x654e3b3)
    Nov 18 14:40:34 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=2609363023(0x9b87b84f)
    Nov 18 14:41:37 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:41:37 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=22161083(0x15226bb)
    Nov 18 14:41:37 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=3090628913(0xb8374131)
    Nov 18 14:41:48 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=94083333(0x59b9905)
    Nov 18 14:42:34 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=25819264(0x189f880)
    Nov 18 14:43:21 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=235687828(0xe0c4f94)
    Nov 18 14:43:23 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=2105908752(0x7d859e10)
    Nov 18 14:44:34 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=79145380(0x4b7a9a4)
    Nov 18 14:45:08 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:45:08 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=71326885(0x4405ca5)
    Nov 18 14:45:08 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=2998537357(0xb2ba0c8d)
    Nov 18 14:45:14 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=166330348(0x9e9ffec)
    Nov 18 14:45:51 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=209051106(0xc75dde2)
    Nov 18 14:46:09 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=197482752(0xbc55900)
    Nov 18 14:47:03 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=37436611(0x23b3cc3)
    Nov 18 14:47:44 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=257954960(0xf601490)
    Nov 18 14:48:24 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=211889230(0xca12c4e)
    Nov 18 14:49:37 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=259242333(0xf73b95d)
    Nov 18 14:50:21 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=209863127(0xc8241d7)
    Nov 18 14:51:10 10.0.7.12 racoon: INFO: IPsec-SA expired: ESP/Tunnel 22.33.22.21[500]->158.152.1.43[500] spi=261054659(0xf8f60c3)
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: respond new phase 1 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:51:32 10.0.7.12 racoon: [22.33.22.21] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: ISAKMP-SA established 158.152.1.43[500]-22.33.22.21[500] spi:0e42ad1c764a42ac:9e058a16ea02d266
    Nov 18 14:51:32 10.0.7.12 racoon: [22.33.22.21] INFO: received INITIAL-CONTACT
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=186691286(0xb20aed6)
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=2958911276(0xb05d672c)
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: respond new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=28824948(0x1b7d574)
    Nov 18 14:51:32 10.0.7.12 racoon: INFO: IPsec-SA established: ESP 158.152.1.43[500]->22.33.22.21[500] spi=2541011031(0x9774c057)
    Nov 18 14:51:33 10.0.7.12 racoon: INFO: initiate new phase 2 negotiation: 158.152.1.43[500]<=>22.33.22.21[500]