All images have been re-sized to fit the article window. To see a full-sized image, click on it and it will open in a new browser tab.
With the release of NGFW version 11.1, comes a new IPSec VPN back end. Part of that change is the removal of the "Perfect Forward Secrecy(PFS)" option in the Tunnel configuration. This has caused some confusion for many customers as we disable PFS by default on upgrade. So, if you were using it and then version 11.1 got installed, all of your VPN tunnels will drop.
There are two fixes for this:
- Set Phase 1 and Phase 2 PFS Group to the same settings on both ends of the tunnel.
- Remove the tunnel completely and create a new VPN tunnel with the same settings as the original.
Changing PFS Group in Manual Phase 1 and 2
The easiest solution for those tunnels that stop working after the upgrade to 11.1 is to modify the Phase 1 and Phase 2 settings to the same Group.
- Go to IPSec VPN Settings > IPSec Tunnels, click Edit on the VPN tunnel to be modified.
- At the bottom of the Edit window are two check boxes labeled "Phase 1 IKE/ISAKMP Manual Configuration" and "Phase 2 ESP Manual Configuration".
- Check both boxes and configure both to max the settings on the other end of the tunnel.
- Apply the changes, the tunnel should come up within a few seconds. If not proceed to the second option below - Removing the current tunnel and creating a new one.
Removing the Current Tunnel and Creating New
The method that almost always fixes the issue, though longer to complete, is to completely remove the existing tunnel and create a new one with the same settings.
- Go to IPSec VPN Settings > IPSec Tunnels, and click the x next to the tunnel you want to recreate. You may want to copy down the current tunnel configuration to use as a reference when recreating. You can click Edit to copy it down before proceeding.
- Click Apply to finish removing the tunnel configurations.
- Click Add.
- Re-enter the same information from the previous tunnel. We do recommend assigning a different Description to the tunnel to insure that any residual configuration files are not re-used by the new tunnel.
- Check the boxes labeled "Phase 1 IKE/ISAKMP Manual Configuration" and "Phase 2 ESP Manual Configuration". Re-enter the Phase configurations from the previous tunnel.
NOTE: To disable PFS you need to set Phase 2 PFS Key Group to "0 (disabled)"
- Apply the changes, the tunnel should come up within a few seconds.