You are right. SA expires before rekey. Set pfs to none and will monitor..Yes, they establish correctly. But do they rekey without issue? Have a look at your log...Thats odd - I've got pfs set in phase 2 and the IKEv2 tunnel establishes correctly:
Search found 3 matches
- Tue Dec 29, 2020 1:51 pm
- Forum: Announcements
- Topic: v6.48 [stable] is released!
- Replies: 265
- Views: 45934
Re: v6.48 [stable] is released!
- Mon Dec 28, 2020 1:51 am
- Forum: Announcements
- Topic: v6.48 [stable] is released!
- Replies: 265
- Views: 45934
Re: v6.48 [stable] is released!
Yes, that's what should be set to none IMHO. Look at first line, dh-group=modp4096 is used for dh in phase 1 and for PFS in phase 2. Thats odd - I've got pfs set in phase 2 and the IKEv2 tunnel establishes correctly: # model = RB4011iGS+5HacQ2HnD # serial number = xxxx /ip ipsec profile add dh-grou...
- Tue Apr 28, 2020 12:59 pm
- Forum: Announcements
- Topic: v6.47beta [testing] is released!
- Replies: 269
- Views: 129395
Re: v6.47beta [testing] is released!
Have a site-to-site (IKEv2 & pre-shared key) running between my RB4011 and a USG4 appliance in the office. Configuration unchanged from 6.46.5. If I update to 6.47b60 then whilst the tunnel is still established (confirmed by SA status within Ipsec menu) I cant access the other site. No pings etc...