With the release of NGFW version 11.1 comes a new IPSec VPN backend. Part of that change is the removal of the "Perfect Forward Secrecy (PFS)" option in the Tunnel configuration. This has caused some confusion for many customers as we disable PFS by default on upgrade. If you were using PFS and upgraded to v11.1, all of your VPN tunnels will drop.
There are two fixes for this:
- Set Phase 1 and Phase 2 PFS Group to the same settings on both ends of the tunnel.
- Remove the tunnel completely and create a new VPN tunnel with the same settings as the original.
Changing PFS Group in Manual Phase 1 and 2
The easiest solution for those tunnels that stop working after the upgrade to 11.1 is to modify the Phase 1 and Phase 2 settings to the same Group.
- Go to IPSec VPN > IPSec Tunnels, click Edit on the VPN tunnel to be modified.
- At the bottom of the Edit window are two check boxes labeled "Phase 1 IKE/ISAKMP Manual Configuration" and "Phase 2 ESP Manual Configuration".
- Check both boxes and configure both to match the settings on the other end of the tunnel.
- Apply the changes and the tunnel should come up within a few seconds. If not, proceed to the second option below (removing the current tunnel and creating a new one).
Removing the Current Tunnel and Creating New
Though it's more time-consuming to implement, the method that almost always fixes this issue is to completely remove the existing tunnel and create a new one with the same settings.
- Go to IPSec VPN > IPSec Tunnels, and click the x next to the tunnel you want to recreate. You may want to copy down the current tunnel configuration to use as a reference when recreating. You can click Edit to copy it down before proceeding.
- Click Apply to finish removing the tunnel configurations.
- Click Add.
- Re-enter the same information from the previous tunnel. We do recommend assigning a different Description to the tunnel to insure that any residual configuration files are not re-used by the new tunnel.
- Check the boxes labeled "Phase 1 IKE/ISAKMP Manual Configuration" and "Phase 2 ESP Manual Configuration". Re-enter the Phase configurations from the previous tunnel.
NOTE: To disable PFS you need to set Phase 2 PFS Key Group to "0 (disabled)"
- Apply the changes and the tunnel should come up within a few seconds.