IPSec status page not reflecting configured tunnels
-
Firstly please forgive any ignorance on my part. I am picking up and familiarising myself with an existing configuration on our network.
We have:
- A primary Netgate 7100 pfSense gateway
- Running 22.01-RELEASE
- FreeBSD 12.3-STABLE
- A secondary (HA-connected) Netgate 7100 pfSense gateway
- Running 22.01-RELEASE
- FreeBSD 12.3-STABLE
- 2x AWS VPCs
- Each has 2 IPSec tunnels
The appliance has 4x IPSec phase1 tunnels configured, one to each of the corresponding endpoints on the 2 VPCs.
We're aware that we can't have all our phase2 connections active as this isn't supported but they are all configured.My core issue is this:
The IPSec Status page (/status_ipsec.php) DOES NOT reflect the configured IPSec tunnels (/vpn_ipsec.php).The configured tunnels all look correct. There are 4 different phase1 tunnels and all four contain 3 phase2 entries each.
All are enabled. All are configured with the correct IP addresses.
However when viewing the status page, it's a mess.
The 4 phase1 connections are present.
Expanding these to show their child SA entries does NOT reflect the configuration.Some of the phase2 connections are simply not shown. How do I get these to appear under their parent?
Some of the phase2 connections are duplicated? Why are they there? How do they get removed?
Some of the phase2 connections are connected but won't disconnect. We have one of the phase1 tunnels where it holds a phase2 connection that should be on the other tunnel to the same VPC but it's not there. When we try and disconnect it the page refreshes and it's still connected.
This is important because if that phase1 tunnel drops then we don't know how to bring up the second tunnel with that redundant phase2 connection in it.What am I missing?
The behaviour doesn't seem to be consistent with config and performing certain actions are causing unexpected results.I appreciate this might be a gap in my understanding here so please direct me to some better documentation about how to configure and modify these active tunnels.
I don't know if it's relevant but we have a redundant secondary appliance. Might there be some conflict occurring with the HA-Sync? Changes made on the primary being overwritten by a faulty synchronisation from the secondary?
Are there any logs I can look at to get an idea of why these tunnels and connections are missing from the status page?
Is there anywhere else in the admin UI I should be looking that will give me an insight into this?Thanks in advance.
- A primary Netgate 7100 pfSense gateway