IPSEC site to site VPNs do not work after upgrade to PFsense 5

jimp

There is no version "5". Perhaps you meant 2.5.x?

The error you show there is what happens when you manually stop the pcscd process. Search the forum, it's well covered, along with workarounds to disable pcscd permanently.

N8LBV

@jimp Yes 2.5.x and up.
Sorry was out of my mind tired when I posted.

N8LBV

@jimp said in IPSEC site to site VPNs do not work after upgrade to PFsense 5:

pcscd

Not sure what to do or try here.
The "fix" appears to be a link that will not load.

hide pcscd from the service list if not enabled:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/304

N8LBV

gitlab appears to be down. Is this temporary or was it moved?

jimp

@n8lbv said in IPSEC site to site VPNs do not work after upgrade to PFsense 5:

gitlab appears to be down. Is this temporary or was it moved?

That is a private site, but it's not necessary to get the fix. You just need to add the hash of the patch listed on the redmine issue to the system patches package.

N8LBV

@jimp said in IPSEC site to site VPNs do not work after upgrade to PFsense 5:

dd the hash of the patch

Thanks!
I currently do not know exactly what "add(ing) the hash of the patch" means exactly or how to go about it.

I need to spend some more time on this, it's been long enough and I have since just stuck with 2.4.5 as the solution and any new VPN deployments have been 2.4.5 because for me it just works for all the simple site to site IPSEC and OPENVPN stuff I have been doing.

I've not yet developed my familiarity with 2.5.x and spent the time to figure out how to make it work for me and work toward getting everyone (everything) more up to date.

N8LBV

@jimp Giving this a try.
Never worked with patches before and did not realize how simple this is to get and apply a patch.
Will see how that goes.

I'm not sure if the original problem arises from having done an upgrade to 2.5.2 from 2.4.5 versus starting fresh with a clean install of 2.5.2

Anyhow I'm going to bring up a couple of clean install systems with 2.4.5 and see if they
are able to work with an IPSEC tunnel brought up versus systems with a working IPSEC site to site VPN that were working on 2.4.5 then upgraded to 2.5.2
As well as after trying the patch in both flavors.

N8LBV

If I could edit the title and initial question to make this thread more useful in searches I would.

N8LBV

This immediately fixed the "problem" in the logging.
However my base problem remains.
I am unable to use VPN functionality in either IPSEC or OPENVPN.
What used to always work with ease for me.. both site to site IPSEC vpns an OPENVPN
Setups with a server and mobile clients on 2.4.5 and older which was always easy.
Flat out is not working for me on 2.5.X

I have 2.4.5 deployed all over the place.
I have determined since the release of 2.5 that none of them (installations of 2.4.5) can be simply upgraded as all VPN functionality immediately dies if upgraded.

I still need to test on clean installations of 2.5.2 and newly configured VPN arrangements see if they work or not. I swear I tried this early on when 2.5.0 was released but now I'm not sure and need to go back & re-test.

N8LBV

Do you think at this point I should start a new thread?
I can proceed in one of two ways (or both ways)

1. Start posting IPSEC logs here looking for help in why it will not connect.
2. Try on two new fresh installs of 2.5.2 and see if they will bring up a tunnel and connect
   out of the box.

In an effort to figure out if it's not working out of the box or if it's not working because I'm on a 2.5.2 box that was upgraded in place from 2.4.5.

N8LBV

And here I am pretty much where I started..
Ipsec and openVPN on any working system I upgrade from 2.4.5 -to- 2.5.X (now 2.5.2)
Do not work.

Deleting ALL VPN configs and trying to re-create them from scratch do not work.
Yes, we will need to look logs & all that to go any further.

I have been in this boat since 2.5.0 was released..
And as a result all of my systems out there have been kept on 2.4.5 because they work and work well.

I'm eventually going to have to deal with this and figure out what my problem is.

At this point I'm not sure if I need to start fresh with two newly installed 2.5.2 systems
and see if I'm able to bring up a simple IPSEC VPN and an OPENVPN server with clients.

Or if I should troubleshoot why any working system upgraded from 2.4.5 no longer works for me after upgrading in place to 2.5.2

So far in this thread I have learned how to apply a patch.
Which for me is a plus.
First time I've tried it.
It fixed the repeat IPSEC logging issue but did nothing for the actual issue I'm having.

N8LBV

OK- this thread is no longer getting any love or interested and frankly is a mess of thoughts and
also is titled incorrectly.

I will start a new thread after I try clean installs of 2.5.2 and getting them to "VPN" together.
If this fixes my issues great.
It will be a pain not to be able to simply upgrade the 2,4,5 systems but I can circle back to that
when I have done the sanity test of trying on clean installs of 2.5.2 and at least identifying for sure that systems with 2.4.5 to 2.5.2 never work again after that.
And be ready with logs and packet captures to try and troubleshoot my inability to update systems that are currently on 2.4.5 up to 2.5.2

I will leave it at that for now and start a new thread when I am ready.
Thanks for the help so far.
When I started this thread I didn't know how to apply a patch/fix so I have learned something valuable here so far.
-Steve

N8LBV

This eventually got fixed over here:
https://forum.netgate.com/topic/162012/pfsense-release-2-5-openvpn-2-5-broken-any-fixes/74?_=1644012845727