-
Hi there,
So I have a site-to-site VPN I updated the firewall here remotes are on 23.09.1 since can't be upgraded.
I don't know if the issue is related to being one version behind, but then I have the IPSec UP from 24.03 any session (SSH, MYSQL, RDP) are constantly failing.
Reverted my boot environment to 23.09.1 and the VPN works marvellously. As always.
Issue confirmed both on 24.03 and 24.03_1
The logs by the way don't have anything relevant beside that log spam that is known. And the VPN connection doesn't appear to "drop" only traffic
-
@maverickws Check this thread
dead on arrival, nowhere to be found.
-
Yup if you're using VTI tunnels check the State Interface Binding change.
-
J jimp moved this topic from Problems Installing or Upgrading pfSense Software on
-
@mcury hi there thank you for your reply and sorry for my delay it was a holiday here yesterday.
So I read through that topic, and my setup has VTI tunnels, the option I have selected onIPsec Filter Modeis "Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0)Now I didn't quite understand the resolution, say the bugzila issue as well, could you explain how did you overcome the issue? I have both IPsec site-to-site and mobile.
-
@stephenw10 said in IPSec issues on 24.03 - sessions dropping:
Yup if you're using VTI tunnels check the State Interface Binding change.
Sorry where is this?
-
@maverickws said in IPSec issues on 24.03 - sessions dropping:
IPsec Filter Mode is "Filter IPsec Tunnel, Transport, and VTI on IPsec tab (enc0)
Since you are using mobile IPsec and VTI at the same time, don't change this setting.
In 24.03, there was this change State Policy
Check if setting this option to Floating States will fix your problem.
-
It's in System > Advanced > Firewall&NAT: Firewall State Policy.
That's the global setting. Setting it to floating goes back to the same behaviour as 23.09.1.
If that works you can also set that per rule so you add them to allow the IPSec and set the global value back to interface-bound.
-
There are specific recommendations for VTI in the docs that cover this as well:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-states
-
Hi and thank you all for the information and support.
I have some follow-up questions, given the State Policy changes and traffic interface bound, but not getting exactly why is it impacting my traffic?
What would I put in the rule to have it fixed on Interface Bound mode?
(I am unable to test right now only in a few hours to put it back on 24.03 and change the State Policy option to see if it fixes the issue. -
@maverickws said in IPSec issues on 24.03 - sessions dropping:
I have some follow-up questions, given the State Policy changes and traffic interface bound, but not getting exactly why is it impacting my traffic?
It's explained in detail in the link I posted in the section about VTI.
What would I put in the rule to have it fixed on Interface Bound mode?
I just updated the docs with better info about the per-rule workaround, it'll be up in ~10 minutes once the build finishes.
-
@jimp
Question Jim. Because this bit me and a few others would it be reasonable to make an exception for IPsec traffic flows and a note in the webUI or documentation about this and to change at the admins own risk?
So the IPsec interfaces with VTI get the floating policy state change only. -
The ideal solution here is to fix the IPSec pfil handling so traffic is filtered on the same interfaces in and out as expected. We are looking at that (again) but the work there is non-trivial!
-
If fixing the OS level issues doesn't work out we might consider an option for automatically handling the floating policy rules for VTI but we're hoping to avoid that if possible.
-
Hi all,
So from my understanding, please correct me if I'm wrong, if I would maintain the option for Interface Bound, I would add a rule to the Floating rules on the IPsec interface as described in Rules with Floating Policy Set ?
-
Yes exactly.
-
perfect thank you I will test today and tell how it goes.
-
Ok so I was able to reboot the router and booted into 24.03
I've added the rule as described to the IPsec interface on the floating rules, put it on top of any other IPsec rules and so far my connections seem to be stable, been testing for over 5 minutes both terminal and RDP.
Next week I'll be able to test further. Have a nice weekend you all
-
@maverickws I had this issue today... looks like adding advanced rule options for floating states on the ipsec rules and a floating outbound one too as per the docs does the trick
-
@danjeman howdy.
I only added one floating rule, what you mean by two rules? -
If you need to create connections across the tunnel in both directions you need a floating outbound rule with floating state binding set to allow the replies. It's shown in the doc there now.
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#interface-bound-statesSo you might only add one floating rule and edit the existing IPSec rule. Two rules are needed if none existed.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.