Hello,

I fixed this by applying the patch listed here:

https://redmine.pfsense.org/issues/11933

Thanks.

@rostyslav-didus

4.For some reason after pfsense reboot,it doesn't bring up Chield SA entries.
Maybe,I haven't noticed some mark to bring it up automatically?
-240 18-11-21.png

@cswroe thanks for quick reply I appreciate it.

maybe you could give a hint regarding load balancing algorithm in case with specific remote LAN reachable behind two separate tunnels? will it be ECMP?

pfsense-p2.png

OK, I found this answers my question:

https://forum.netgate.com/topic/113227/ikev2-vpn-for-windows-10-and-osx-how-to

In short, it needs a workaround - add-vpnconnectionroute.

Thanks
Adrian

@viktor_g Thanks - i'll give that a try

Hello,

Kind reminder :)

@spearhead1 As you say that both phase 2 SA are connected, can you see packets going out when you go to Status / IPsec / Overview and click on + Show chiild SA entries?

If not, can you see the unencrypted traffic coming from 10.225.172.0/24 in a packet capture?

If yes, can you confirm that this is the right traffic by doing a packet capture on the IPsec interface?

@rex2020
as a quick workaround, i muted all logging controls by setting them to silent:

a9470e32-0f66-44fc-a0b0-80d3faca2e9f-grafik.png

https://forum.netgate.com/topic/163221/constraint-check-failed-rule_crl_validation-is-stale-but-requires-at-least-good/3

Same issue as this one, which had no responses.

@lst_hoe

@periko I would like to know if it is planned to add route pushing to Windows clients using DHCP option?

Thanks.

@jimp I'd love to see an opinion from Netgate about this scenario when you got some time; can't be that I'm the only one running site to site IPsec tunnels with dynamic IPs and FQDNs as identifiers.

@rai80 Thank you - I saw that bug report but still couldn't get things working.

However, on this thread @stephenw10 answered a general query I had about PMTUD not appearing to work. It seems that PMTUD with policy-based IPSec does not work, but it does work with route-based IPSec. In my case, I have been using a policy-based IPSec tunnel. As soon as I set up route-based IPSec (with static routes at the moment, but I'm sure BGP will work too) then my RADIUS/EAP-TLS issue disappeared - and with scrubbing enabled (i.e. default pfSense settings).

@tomwork Thank you for sharing this great script, we have the same problem with the AWS tunnels ;-)
We have a CARP HA setup and wanted to have it on both nodes.
Therefore we need a check, that the script only starts down tunnels only if the CARP state is MASTER and is not active on the BACKUP node.
Here it is - there may be better solutions but it works

#!/bin/sh # check for MASTER master=`ifconfig | grep "carp: MASTER"` if [ -z "$master" ]; then echo "CARP Backup => exit script" exit; fi echo "CARP Master verifying IPSec tunnels..." tunnels=$( /usr/local/sbin/ipsec statusall | /usr/bin/grep dpddelay | /usr/bin/cut -d':' -f1 | /usr/bin/tr -d ' ' ) for i in $tunnels; do if /usr/local/sbin/ipsec status $i | /usr/bin/grep -q 'no match'; then echo "tunnel $i down" /usr/local/sbin/ipsec up $i fi

Much obliged !