- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ipsec s2s forti and pfsense
So, I know that ipsec with pfsense has some issues, and they are kinda unknow to resolve, but maybe someone will have an idea about this one.
Situation looks like this - I have several phase 2 tunnels, lets say 7. The problem accours with the first one, and only with it. When I reset it, it will work for some amount of time, 15 minutes / 1 hour.. depends. Packet losses and so on, overall connectivity problem when all other work fine. I've noticed that when this happens, diag debug outputs a lot of error, or some informations that I cant make any sens out of. Here it is, it repeats itself in a loop:
ike 0: comes sourceip:500->destip:500,ifindex=59....
ike 0: IKEv2 exchange=CREATE_CHILD id=xxx len=800
ike 0:tunnel_vpn:433759: received create-child request
ike 0:tunnel_vpn:433759: responder received CREATE_CHILD exchange
ike 0:tunnel_vpn:433759: processing notify type ESP_TFC_PADDING_NOT_SUPPORTED
ike 0:tunnel_vpn:433759: responder creating new child
ike 0:tunnel_vpn:xxx: peer proposal:
here are phase subnets, removed for privacy :)
ike 0:tunnel_vpn:433759:tunnel_vpn_1:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_vpn_1:154539078: matched by rfc-rule-3
ike 0:tunnel_vpn:433759:tunnel_NETWORK_2:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_NETWORK_3:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_NETWORK_4:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_NETWORK_5:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_NETWORK_6:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_vpn2:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_vpn2_2:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_vpn2_3:154539078: comparing selectors
ike 0:tunnel_vpn:433759:tunnel_vpn_1:154539078: phase2 matched by subset
ike 0:tunnel_vpn:433759:tunnel_vpn_1:154539078: accepted proposal:
then it states configuration properties for tunnel_vpn_1 (the one which is problematic, non other). And rest of the code:
ike 0:tunnel_vpn:433759:tunnel_vpn_1:154539078: added IPsec SA: SPIs=7984df60/caf3ca3e
ike 0:tunnel_vpn: HA send IKEv2 message ID update send/recv=669779/669691
ike 0:tunnel_vpn:433759:tunnel_vpn_1:154539078: responder preparing CREATE_CHILD message
ike 0:tunnel_vpn:433759: enc xxx
ike 0:tunnel_vpn: IPsec SA xxx hard expired 59 destip->sourceip:0 SA count 3 of 7
ike 0:tunnel_vpn:433759:tunnel_vpn_1:154539070: sending delete for IPsec SA SPI 7984df5c
ike 0:tunnel_vpn:433759:154539079: send informational
ike 0:tunnel_vpn:433759: enc xxx
ike 0:tunnel_vpn:433759: out
Forgive me for butchering the code, I dont want any information leaked, bit paranoid I know. But imaybe someone has understood my problem and encoutered it.