OPNsense Forum

Hi,

I'm running 20 clients into a Scope7 under OPENsense 21.7.2, establishing individual IPsec IKEv2 Tunnels from individual sites via EAP/MSCHAPv2.

The Clients are configured via profiles, running under MacOS or iOS.

Everything is working well, but one problem remains: Every hour, the clients get disconnected.

As the default for rekeying is 3600 seconds, that's my natural first idea to look into.

The log seems to confirm my suspicions:

Quote2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> sending DELETE for ESP CHILD_SA with SPI c5bac60c
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> failed to establish CHILD_SA, keeping IKE_SA
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> no acceptable proposal found
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> parsed CREATE_CHILD_SA response 864 [ SA No TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> received packet: from 93.195.52.31[4500] to 192.168.1.48[4500] (192 bytes)
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> sending packet: from 192.168.1.48[4500] to 93.195.52.31[4500] (768 bytes)
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> generating CREATE_CHILD_SA request 864 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> establishing CHILD_SA con1{147} reqid 1
2021-09-17T17:15:00   charon[65375]   11[KNL] creating rekey job for CHILD_SA ESP/0xc3269189/192.168.1.48[/size]

The lines: "failed to establish CHILD_SA, keeping IKE_SA; no acceptable proposal found" stand out.

Any ideas where to look? Can I enable PSK in the process?

THX!

atoll