17.1.1 ipsec reneg delays

Started by xofer, February 22, 2017, 01:44:53 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2017, 01:44:53 PM
I have configured site to site ipsec from one opnsense to another and clients have intermittent connection issues through the connection. At some point the tunnel drops and renegotiation is not successful for several minutes.

Going through the log, i stumbled upon this:
peer A:
Feb 22 14:30:02 peerA charon: 06[IKE] sending cert request for -----cert information deleted as this is a public forum----
Feb 22 14:30:02 peerA charon: 06[IKE] sending cert request for -----cert information deleted as this is a public forum----

peer B:
Feb 22 14:30:02 peerB charon: 12[IKE] received 2 cert requests for an unknown ca



Ipsec negotiation succeeds 2 minutes(!) later.

The strange thing is that ipsec is configured to use Mutual PSK, not certificates. The certificates in question are used for OpenVPN clients on peer A.


Why does ipsec use these certificates at all?
Am I right to suspect that this is the cause for the delay that one peer tries to authenticate using these CAs?
Print
Go Up Pages1
User actions