OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 21.7 Legacy Series »
  • IPsec IKEv2 rekey issue?
« previous next »
  • Print
Pages: [1]

Author Topic: IPsec IKEv2 rekey issue?  (Read 1628 times)

atoll

  • Newbie
  • *
  • Posts: 10
  • Karma: 0
    • View Profile
IPsec IKEv2 rekey issue?
« on: September 18, 2021, 07:45:10 pm »
Hi,

I'm running 20 clients into a Scope7 under OPENsense 21.7.2, establishing individual IPsec IKEv2 Tunnels from individual sites via EAP/MSCHAPv2.

The Clients are configured via profiles, running under MacOS or iOS.

Everything is working well, but one problem remains: Every hour, the clients get disconnected.

As the default for rekeying is 3600 seconds, that's my natural first idea to look into.

The log seems to confirm my suspicions:


Quote
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> sending DELETE for ESP CHILD_SA with SPI c5bac60c
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> failed to establish CHILD_SA, keeping IKE_SA
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> no acceptable proposal found
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_192/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[CFG] <con1|260> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> parsed CREATE_CHILD_SA response 864 [ SA No TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> received packet: from 93.195.52.31[4500] to 192.168.1.48[4500] (192 bytes)
2021-09-17T17:15:00   charon[65375]   13[NET] <con1|260> sending packet: from 192.168.1.48[4500] to 93.195.52.31[4500] (768 bytes)
2021-09-17T17:15:00   charon[65375]   13[ENC] <con1|260> generating CREATE_CHILD_SA request 864 [ N(REKEY_SA) N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
2021-09-17T17:15:00   charon[65375]   13[IKE] <con1|260> establishing CHILD_SA con1{147} reqid 1
2021-09-17T17:15:00   charon[65375]   11[KNL] creating rekey job for CHILD_SA ESP/0xc3269189/192.168.1.48[/size]

The lines: "failed to establish CHILD_SA, keeping IKE_SA; no acceptable proposal found" stand out.

Any ideas where to look? Can I enable PSK in the process?

THX!

atoll
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 21.7 Legacy Series »
  • IPsec IKEv2 rekey issue?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2