DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

VPN drops when renegotiating ISAKMP SA Phase 1

  • jonathanbaird
  • Topic Author
  • Offline
  • New Member
  • New Member
More
30 Mar 2016 08:38 #85755 by jonathanbaird
VPN drops when renegotiating ISAKMP SA Phase 1 was created by jonathanbaird
Hi,

I am having a nightmare trying to get a stable IPSec VPN using either Main Mode or Aggressive mode between what seems to be any Draytek Vigor model and pfSense 2.2.6 or pfSense 2.3-BETA. The problem I am having is the DrayTek is sending a request to drop the VPN tunnel when it renegotiates the ISAKMP SA Phase 1. Phase 2 renegotiates no problems at all. Below is the Syslog output.

1412016-03-28 15:21:00Mar 28 15:18:38Vigor[L2L][DOWN][IPSec][@1:pfSense]
1412016-03-28 15:20:59Mar 28 15:18:38VigorBuffer Status: L:93, M:7, S:1174 --> delete garbage states.
1412016-03-28 15:20:59Mar 28 15:18:38Vigor==> Drop All VPN in delete_garbage_states.

Has anybody else come across this before? I appreciate this isn't a vendor to vendor setup, however as the peer firewall is located at a Datacentre, I am stuck with a software firewall. Any advice or guidance on this would be fantastic.

Happy to provide Syslog .log file for the DrayTek if needs be, can also provide the pfSense output although it takes a bit of scrutiny to make any sense of it!

I await hopefully some positive responses! :D

Please Log in or Create an account to join the conversation.

More
01 Apr 2016 12:37 #85775 by macavity
On the DrayTek there is a Phase 1 and Phase 2 lifetime. It's under the advanced button of the LAN to LAN profile. Check to see if the lifetime is the same on both devices.

Another thing is that the lifetime can be set as number of bytes or number of sections on some devices. On DrayTek it's always in seconds, but check on the other device to see if there is any mention of bytes. It may be that the pfsense doesn't do lifetime based on bytes either but worth checking.

The advance button can also control what proposal is used for the phase 1 and phase 2. It could be worth trying to set the proposal specifically (eg AES256_SHA256_G14)

Please Log in or Create an account to join the conversation.

Moderators: Sami