20.1.7 - IPSEC tunnels some P2 lost after 1 hour at rekey

[nzkiwi68]

I've recent converted from pfSense and am now running 20.1.7 connecting to a number of IPSEC traditional VPN tunnels.

• The endpoints are a number of different pfSense firewalls, 2.4.4.p3, 2.4.5 and 2.4.5-p1.
• If I restart IPSEC on OPNsense, all the tunnels P1/P2 connect and work.
• After about 1 hour, some, consistently the same tunnels, lose their P2 in OPNsense.

What have a done?
* I have rebooted OPNsense
* Deleted the affected OPNsense tunnels and remade them on OPNsense again
* Minutely compared settings on OPNsense to tunnels that work and never drop and those that do (no * differences detected)

See some IPSEC log entries from OPNsense;

Code Select Expand

2020-06-11T06:55:51 charon: 14[IKE] <con4|21> failed to establish CHILD_SA, keeping IKE_SA
2020-06-11T06:55:51 charon: 14[IKE] <con4|21> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built


Have a look at this whilst in failure mode:
See the last one (con6) - no P2

[mimugmail]

NO PROPOSAL CHOSEN means there is a mismatch in settings, like enc alg or hash digest.
You need to compare both sides one by one.

[nzkiwi68]

Thanks.

You are right, just some very subtle differences and that was the cause.

Problem solved.