It means that you cannot initiate pings from a source address that is not on the firewall itself.

For instance, if you have a Phase 2 tunnel between a local network that is behind another router on your side and a network on the remote side, the firewall itself cannot generate an interesting ping to bring up a tunnel because it cannot ping sourced from an address that is not on the firewall.

In that case you would have to generate a keepalive ping from the network interesting to IPsec.

They are rekeyed tunnels. They are harmless.

They are kept around in case the other side sends traffic for the old SA, which sometimes happens with some IPsec implementations.

They are visible there for the time between the rekey and the full lifetime expiration.

Are you experiencing actual traffic flow issues or do you just not like to see them listed?

Thanks for that info. At least my memory about the fact that there was a problem is correct!

I guess the only other comment is that, as noted by others in the ticket, the compression option is far from "little used'.

Thanks again.

andreas,

you can try what i did on this post and see if it helps to keep your tunnels established. i suspect you have little to no traffic on this link. Don't know if it will help in your particular case... but, i don't see why it wouldn't help a bit:

https://forum.netgate.com/topic/138571/ipsec-tunnels-stop-passing-traffic

ktbrown

I had the same issue with pfsense to pfsense ipsec tunnels showing connected but traffic wasn't passing. My particular problem was every few hours... not every week. Nothing in the configuration on both ends helped in P1 or P2 settings. I don't have tons of traffic on these tunnels... but, i wanted them to stay established for quicker response. Don't know if it will solve your issues or not... but, my work-around was to set the P2 "automatically ping host" to an ip on the remote end... which only pings every 4 minutes (by default) and change the default to 10 seconds. Seemed to be something with the tunnels timing out and re-establishing would eventually work (re-establish) after 1-2 minutes of continuous pings from a desktop.

Solution (which i found on a separate issue on a separate post) was to change the ipsec P2 ping times from 4 minutes (240 sec) to 10 seconds to keep ipsec tunnels alive. And from what i have seen, ipsec tunnels have been stable (for a week).

** Careful with this... but, here's the steps i took.

1.) Go to Diagnostics / Edit File
2.) Click on "Browse"
3.) go to \etc directory
4.) Click on "Pfsense-rc" (in the root of etc)

5.) Add the following (you will find towards the bottom of the config file - about 1 page up):

#Start ping handler every 240 seconds
/usr/local/bin/minicron 240 $varrunpath/ping_hosts.pid /usr/local/bin/ping_hosts.sh

Change that line to:

#Start ping handler every 10 seconds
/usr/local/bin/minicron 10 $varrunpath/ping_hosts.pid /usr/local/bin/ping_hosts.sh

6.) Save config
7.) reboot

Note: if you upgrade the code, this file will most likely default back to the 240 seconds and will need to be changed again.

@kts-tec said in VPN IPSec - one site has a dynamic ip:

On the lancom i can set the identifier to mail (fqun).
I dont find a identifier on the pfsense for mail (fqun). Is it possible to use a fqun on the pfsense as identifier?

I'm talking about the dyndns with the it department.

In phase1, select my identifier, or peer identifier, and all options are there.

I did this so when I use OpenVPN I can also access other subnets I want that are connected with ipsec.

On the PFSense I OpenVPN to, which is connected to all the ipsec tunnels, I add a phase 2 entry with local subnet of of OpenVPN eg. 10.0.10.0/24 and remote subnet of whatever is on other side. On the other side, I use the remote subnet of OpenVPN eg. 10.0.10.0/24.

One site is an old Cisco RV042 I have a tunnel from my PFSense... so what I did was I added the phase 2 on PFSense, but had to create a new site to site VPN tunnel on the RV042 and just different settings for the phase 2, this is because I cannot add multiple phase 2 to VPN on RV042 - I am surprised that it worked.

Hi, Again!,
I have a little question about the above configuration!
I calculate mtu over ipsec tunnel and enable 'Enable MSS clamping on VPN traffic' with 1486 value! over the ipsec tunnel clinets can see 2 lans without any problem.
but gre or l2tp/ipsec connection seems to have mtu problem. my clients on the remove lan uses windows l2tp/ipsec connection to connect to anther vlan on the main site over the Cisco-pf ipsec tunnel.
but can not access some services like https or big object like images on http. it seems that mtu problem!?
BTW, my ipsec tunnel on the cisco side runs over PPPoE connection. I set 'ip mtu' and 'ip tcp adjust-mss' in pppoe interface!
Any help ?!

I did go to the 172 router and add a default route of the lower PFS... and it works, but there are a few PFS connected to each other off the lower PFS, all via OSPF. I didnt want to use static as if lower goes away, the static may blackhole and not use other ABR's.

@genesis_mp

Solution was soo simple! 😌

The Servers on Datacenter 1 had a static route in the network configuration to go over the external Firewall for this kind of subnet...

Changed the static routing with -p and all worked! 😀

Hi, @syndicate604's coworker here.

Could anyone confirm if there's any restriction when using IP Alias as IPsec VPN? I think we checked various things but we might have missed something.

Our setup is:

Hardware: XG-7100 Desktop BIOS: ADI_PLCC-01.00.00.10 2.4.4-RELEASE

As @syndicate604 said everything but IPsec VPN seemed fine. The connection to ISP (via PPPoE) was up. Internet access using NAPT was fine. We'll try it again for further investigation but before doing this we'd like to make sure if it's supported setup.

Thanks,

pfSense has VTI mode IPSEC - how cool is that?
I'm off to play with some test boxes... :-)
For anyone else reading this thread, I found docs here

To my knowledge Windows 10 does not support IKEv1 anymore at least it not listed in the artikel below and you have no GUI setting beside "automatic" which could match.
https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/vpn-connection-type
You should use IKEv2 or use some Third-Party Client SW on Windows.

Thanks, i will see how to create a bounty.

This is to my knowledge a limitation of the GUI. You can only choose Dual-Stack with an Interface which has both IPv4 and IPv6 assigned, a VIP is either IPv4 or IPv6.
We have changed our setup to use the WAN IPv4 / IPv6 as VPN Endpoint and use VIP for the other Services, mostly for NAT which is IPv4 only anyway.

Just wanted to confirm here that the AES-GCM-crashes with AES-NI on our SG-8860 are indeed gone now on pfSense 2.4.4. No crashes since I restartet testing AES-GCM a few weeks ago.