if i had such rekeying issues one or more of the following was may be not
in the right shape:
Key times to live, different TTL on both sides for the resp. Component
(DH,AH ... )
Key lenghts/Algorithms (rare)
Timing issues due to Packet-Flow (very often, due to policy based routing
in the net)
On Tue, Feb 24, 2015 at 8:02 AM, Brian Candler b.cand...@pobox.com wrote:
We appear to have the same problem here after upgrading a box from pfSense
2.1.5 to 2.2. The other side is a Cisco ASA5505.
X.X.X.219 = pfSense, internal subnet 10.19.0.0/16
Y.Y.Y.155 = Cisco, internal subnet
On 24/02/2015 20:33, Chris Buechler wrote:
That's this:
https://redmine.pfsense.org/issues/4178
disabling Unity on the Advanced tab, followed by a manual stop and
start (not just restart) of strongswan may resolve that. There was one
person reporting that wasn't adequate, the plugin had to be
Excellent clue!
On 02/24/2015 08:15 AM, Brian Candler wrote:
However based on Nagios logs, after the tunnel has been up for pretty
much exactly one hour, it drops out again. This would coincide with
the P2 SA expiring and being re-negotiated.
It would be *really* helpful if the debug message
Interestingly, if we kick the tunnel from the pfSense GUI, it negotiates
both P1 and P2 successfully.
pfSense log:
Feb 24 14:06:42charon: 07[ENC] generating QUICK_MODE request
1807616002 [ HASH ]
Feb 24 14:06:42charon: 07[IKE] CHILD_SA con1000{1} established with
SPIs _i
We appear to have the same problem here after upgrading a box from
pfSense 2.1.5 to 2.2. The other side is a Cisco ASA5505.
X.X.X.219 = pfSense, internal subnet 10.19.0.0/16
Y.Y.Y.155 = Cisco, internal subnet 10.26.0.0/16
Here is the log we get from the Cisco:
2015 Feb 24 13:20:03 Group =