Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSECD VPN Phase-2 configuration disappearing

    Scheduled Pinned Locked Moved General pfSense Questions
    30 Posts 7 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nmohata @stephenw10
      last edited by

      @stephenw10 Yes, P2 was missing and it happened 3 times in few hours.

      N 1 Reply Last reply Reply Quote 0
      • N
        nmohata @nmohata
        last edited by

        @stephenw10
        We got the similar issue again today morning. No changes were made on the firewall from last 2 weeks. Everything was working fine until EOD the yesterday but today morning the services running via the VPN were down. When we checked the VPN P2 configuration was missing again.
        The VPN came up after adding the configuration back.

        S 1 Reply Last reply Reply Quote 1
        • S
          Schnubby @nmohata
          last edited by Schnubby

          @nmohata We are seeing something like this as of today. 2 or 3 P2 Configs missing without a trace, one after reboot. VPN working after adding the P2 config back. Really strange

          edit: also on 2.7.2

          1 Reply Last reply Reply Quote 1
          • S
            Schnubby
            last edited by

            I think for me this (https://redmine.pfsense.org/issues/15171) could be the culprit since i removed another phase 1 that was missing a phase 2 when this happened.

            1 Reply Last reply Reply Quote 1
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Yes, if you were making some other config change at the time that would be much more likely. I'm not aware of anything that could remove parts of the config spontaneously though.

              1 Reply Last reply Reply Quote 1
              • T
                Tactis
                last edited by

                I just found this thread as I have the issue too. pfSense CE 2.7.2, last login on Jan 3rd 2025 and last config change December 18th 2024.

                Yesterday at 21:18 (Jan 8th) a tunnel went down, but I only just realised that the lack of P2 proposals in the logs is from our side after raising it with the remote peer admin.

                There are no P2s for this ikeid (6) in the config anymore, even if I download the last changed version from config history, it's gone from there too.

                I diffed my config history until I found the missing P2 entries in the config history from a change done on 2024-12-10. I deleted P1 with ikeid 7 and it looks like the P2 for my ikeid 6 were also removed at the same time.

                Doesn't make sense why it only failed yesterday though, since my P1 / P2 lifetimes are 28800 and 3600 seconds respectively.

                I think this happened once in the past too, but I just assumed I had accidentally botched a config change in the GUI and deleted a P2, but now this happened again I'm not so sure.

                It seems the unrelated P2 deletion is a known issue according to this redmine:
                https://redmine.pfsense.org/issues/15970

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Mmm, that does look like it in that case if the last config change was removing a P1. That doesn't seem to be the case for OP here though.

                  1 Reply Last reply Reply Quote 0
                  • A
                    aduzsardi
                    last edited by

                    Same thing for me as well today , i'm running pfSense+ on Netgate 7100
                    24.11-RELEASE (amd64)
                    built on Sat Jan 11 18:11:00 EET 2025
                    FreeBSD 15.0-CURRENT

                    I have 2 x phase2 entries on the configuration page , but only one is showing on the status page.
                    I'm not sure what's causing this, it was fine until earlier today and i didn't make any changes to the IPSec configuration.

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      If both are showing in the config page that's a different issue.

                      What do you actually see in the status page?

                      Are there any errors in the logs?

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        aduzsardi @stephenw10
                        last edited by

                        @stephenw10 should i create a new topic ?
                        I don't see any errors in the logs , the bit that looks strange to me is circled with red , note that we have two connections one is ike v1 the other is ike v2 with different partners.
                        The part i circled , it;s because the description doesn't match the configuration page and also the id says con2 instead of con2_1 or something like that

                        80242a53-5742-4247-8775-fb1035a1ff5f-image.png

                        1950dc33-b602-4d02-bc50-12c25984c1a7-image.png

                        1 Reply Last reply Reply Quote 0
                        • A
                          aduzsardi
                          last edited by

                          btw , is there any file i can edit from the command line and remedy this ? ... maybe the UI is acting out or it's confused by something ... as i said earlier i haven't changed the configuration for IPSec for a while before this happened

                          1 Reply Last reply Reply Quote 0
                          • A
                            aduzsardi
                            last edited by

                            Even weirder , because i really needed to fix the connection asap , i deleted one of the p2 entries from the configuration and the status shows both as connected/installed now 👽

                            I think it's safe to asume this is some kind of bug , something got stuck somewhere at some point (maybe at a software upgrade) and probably manually need to be cleaned up and recreated the configuration from scratch

                            i only have this single phase2 entry now for this connection
                            4ea30353-4a90-4537-8c45-2eaa82272e7e-image.png

                            and the status page shows (note that both are showing the same description now)
                            3b5acc1e-198d-4fe4-9015-61b7f4f0ecaa-image.png

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S
                              stephenw10 Netgate Administrator
                              last edited by

                              Hmm, that does seem odd. I would at least try re-saving those P2s and disable/re-enable the P1.

                              You could be seeing combined traffic selectors if whatever is at the other end was upgraded and now supports that. Setting 'split connections' on the P1 would return the previous behaviour.

                              1 Reply Last reply Reply Quote 0
                              • A
                                aduzsardi
                                last edited by

                                @stephenw10 said in IPSECD VPN Phase-2 configuration disappearing:

                                supports

                                i confirmed with the partner that this is not the case on their end
                                also i did these disable/enable p1 and p2 entries before removing one of the p2 entry and it has not affected the status of the connection in any way , even restarting the ipsec daemon at each step
                                it's still working now but i would like to have a match between what's in the configuration and what's actually showing on the status page, any ideas what to look for on the command line maybe ?

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  Try stopping then starting the ipsec service. Restarting it only actually reloads the config.

                                  But ultimately check the logs. See what P2s are establishing.

                                  Check the output of: ipsec statusall at the CLI.

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    Tactis
                                    last edited by

                                    So what is the consensus here @stephenw10, Is this bug still present in 24.11?

                                    I thought it would be solved by this version, but since being notified of new issues in this ticket I'm holding off deleting any IPSec tunnels until I know the risk is gone.

                                    1 Reply Last reply Reply Quote 0
                                    • stephenw10S
                                      stephenw10 Netgate Administrator
                                      last edited by

                                      @Tactis said in IPSECD VPN Phase-2 configuration disappearing:

                                      https://redmine.pfsense.org/issues/15970

                                      As far as I know that is fixed in 24.11. I don't think aduzsardi was/is hitting that since the config still appears only the status is different.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        Tactis
                                        last edited by

                                        @stephenw10 , perfect, thanks!

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          scurrier
                                          last edited by

                                          I also experienced a disappearing P2. Unfortunately, it is hard to say what triggered it because the other side has been down for 5 months and just became available again. They just brought it back up and I expected everything to connect automatically but it didn't. So I looked into what could cause it and found the P2 missing. In that 5 months where the other side was down, my side had a hard drive failure and restore from autoconfig backup. Also, in the config history, wireguard has been automatically spamming the config history so I only have one day worth of true backups (but 30 copies of virtually the same thing thanks to wireguard).

                                          I was able to find and decrypt a much older config manually, view the P2 XML, and recreate the P2 manually.

                                          1 Reply Last reply Reply Quote 0
                                          • S
                                            stevensedory
                                            last edited by

                                            We are having this same issue on 2.7.2 on a Hyper V VM. Seems this is a new issue after upgrading from 2.7, but can't be 100% sure of that. However I can report that as we've been moving some policy based VPNs to VTIs (and in that process deleting certain P2s under a given P1, or deleting all the P2s and P1s related to the site we're moving to VTIs), other P2s, for separate P1s that we've left untouched as policy based VPNs, will disappear. This has happened repeatably, each time we delete another set of P2s. So late night I moved five VPNs from policy based to VTI, and I had to rebuild 16 P2s (most of our policy based tunnels have four P2s each).

                                            Anyway, just adding to the discussion.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.