DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
VPN drops when renegotiating ISAKMP SA Phase 1
- jonathanbaird
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
30 Mar 2016 08:38 #85755
by jonathanbaird
VPN drops when renegotiating ISAKMP SA Phase 1 was created by jonathanbaird
Hi,
I am having a nightmare trying to get a stable IPSec VPN using either Main Mode or Aggressive mode between what seems to be any Draytek Vigor model and pfSense 2.2.6 or pfSense 2.3-BETA. The problem I am having is the DrayTek is sending a request to drop the VPN tunnel when it renegotiates the ISAKMP SA Phase 1. Phase 2 renegotiates no problems at all. Below is the Syslog output.
1412016-03-28 15:21:00Mar 28 15:18:38Vigor[L2L][DOWN][IPSec][@1:pfSense]
1412016-03-28 15:20:59Mar 28 15:18:38VigorBuffer Status: L:93, M:7, S:1174 --> delete garbage states.
1412016-03-28 15:20:59Mar 28 15:18:38Vigor==> Drop All VPN in delete_garbage_states.
Has anybody else come across this before? I appreciate this isn't a vendor to vendor setup, however as the peer firewall is located at a Datacentre, I am stuck with a software firewall. Any advice or guidance on this would be fantastic.
Happy to provide Syslog .log file for the DrayTek if needs be, can also provide the pfSense output although it takes a bit of scrutiny to make any sense of it!
I await hopefully some positive responses!
I am having a nightmare trying to get a stable IPSec VPN using either Main Mode or Aggressive mode between what seems to be any Draytek Vigor model and pfSense 2.2.6 or pfSense 2.3-BETA. The problem I am having is the DrayTek is sending a request to drop the VPN tunnel when it renegotiates the ISAKMP SA Phase 1. Phase 2 renegotiates no problems at all. Below is the Syslog output.
1412016-03-28 15:21:00Mar 28 15:18:38Vigor[L2L][DOWN][IPSec][@1:pfSense]
1412016-03-28 15:20:59Mar 28 15:18:38VigorBuffer Status: L:93, M:7, S:1174 --> delete garbage states.
1412016-03-28 15:20:59Mar 28 15:18:38Vigor==> Drop All VPN in delete_garbage_states.
Has anybody else come across this before? I appreciate this isn't a vendor to vendor setup, however as the peer firewall is located at a Datacentre, I am stuck with a software firewall. Any advice or guidance on this would be fantastic.
Happy to provide Syslog .log file for the DrayTek if needs be, can also provide the pfSense output although it takes a bit of scrutiny to make any sense of it!
I await hopefully some positive responses!
Please Log in or Create an account to join the conversation.
- macavity
- Offline
- Member
Less
More
- Posts: 225
- Thank you received: 0
01 Apr 2016 12:37 #85775
by macavity
Replied by macavity on topic Re: VPN drops when renegotiating ISAKMP SA Phase 1
On the DrayTek there is a Phase 1 and Phase 2 lifetime. It's under the advanced button of the LAN to LAN profile. Check to see if the lifetime is the same on both devices.
Another thing is that the lifetime can be set as number of bytes or number of sections on some devices. On DrayTek it's always in seconds, but check on the other device to see if there is any mention of bytes. It may be that the pfsense doesn't do lifetime based on bytes either but worth checking.
The advance button can also control what proposal is used for the phase 1 and phase 2. It could be worth trying to set the proposal specifically (eg AES256_SHA256_G14)
Another thing is that the lifetime can be set as number of bytes or number of sections on some devices. On DrayTek it's always in seconds, but check on the other device to see if there is any mention of bytes. It may be that the pfsense doesn't do lifetime based on bytes either but worth checking.
The advance button can also control what proposal is used for the phase 1 and phase 2. It could be worth trying to set the proposal specifically (eg AES256_SHA256_G14)
Please Log in or Create an account to join the conversation.
Moderators: Sami
Copyright © 2024 DrayTek