I am seeing the same thing here.

I have the split connections box checked. Remote side has x8 P2's to our side which has x1 NAT'd IP

Tunnel will come up with all x8 P2's up and working... after a period of time one or two or three will disappear and will not show in IPSEC status as a child that is down.

I also note that the widget in the portal does not display the correct number of tunnels that are up and active.

ver 2.4.5 rel + XG1537HA

@jimp said in Multiple Phase2 entries does not seem to work in IPSec.:

uld try it again but use a unique value corresponding to e

172.31.1.60 and 10.10.10.1 ip for lan interfaces

172.31.1.91<Nat>10.255.68.201

OK. For anyones interest this does work.

1 - Turn off automatic firewall creation on the pfsense.
2 - Set the wan address in phase 1 to 0.0.0.0
3 - In phase 1 advanced select responder only.
4 - Create any/any firewall rule in IPSEC rules.
5 - Create UDP/500, UDP4500 and ESP all rules.

And we have sucess, thanks in no small part to some very patient support staff.

No, It's me stating that it works fine for myself and others, and requesting more information (which you still did not provide). If you give us enough information to help, we can help, but so far you have not given us anything to go on. We need details, such as logs and specifics about your configuration (like screenshots).

@Rico thanks, that will mean my problems are elsewhere !

@cre8toruk Duh.. added UDP any any on the ipsec interface and voila ! Schoolboy error there ! :-)

just forgotten one thing - the pfSense located on behind router with forwarding UDP ports 500,4500 to it..

No worries. Thanks anyways!

You shouldn't need to touch the cert on the clients. They would only have the CA, not the server cert.

All you need to do is change the server cert and then change where the clients connect.

And for the record, the cert should have the hostname and IP address in the SAN list. But if you put the hostname in the CN, pfSense automatically adds a SAN for that as well, so it should be fine.

I changed it to use a gateway group, as per https://forum.netgate.com/topic/52963/ipsec-multi-wan-failover now it works as expected.

More details are in the attached file. I cannot seem to add it here, because it's supposed spam.
A little frustrating.

MoreDetails.txt

@jimp said in IPv4 VTI tunnel - set network mask:

It is intended to assume /30 there since it's point-to-point. Though I could see how /31 might work for some.

We recently did fix a bug here, https://redmine.pfsense.org/issues/10418, but that was after 2.4.5 was created.
Ok, then I know why.

In 2.4.5 you could change the mode to tunnel, change the type to network, then fix the mask, then switch back to VTI and save.
We might have to revisit https://redmine.pfsense.org/issues/10418 before the next release yet.

The work-around works. I can live with that for now. Thanks for the hint.
Edit: the assigned interface does not seem to come up.

I changed this particular tunnel to be a /30 to check. The interface does not show up when calling "ifconfig" from the command line. It can be assingned under "Interfaces / Interface Assignments". The IPsec tunnel shows as up in the IPSec status tab. -> New thread for this issue as I see it with a separate tunnel as well: https://forum.netgate.com/topic/152246/interface-ipsec6000-not-being-added-for-vti-tunnel

If this is in IPsec tunnel mode, then you'll need a route setup like https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/accessing-firewall-services-over-ipsec-vpns.html to nudge the firewall to use the LAN as the source address when sending traffic through IPsec from the firewall itself.

VTI mode IPsec would work much better, but the traffic would be sourced from the VTI interface address so you'd need to account for that in the firewall rules/other config on the remote end.

Read the warning at the top of the page: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/l2tp-ipsec.html