Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Parallel tunnel worked well on 1.0.1 (snapshot) but it does not work on 1.2b1

    IPsec
    3
    7
    5.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sbyoon
      last edited by

      I've used parallel multi network ipsec tunnel with pfsense 1.0.1 and 1.0.1 snapshot without any problem but today I found that it does not work with pfsense 1.2 Beta1. Below is my testing environment.

      pfsense A (allow mobile client)
      Lan 192.168.1.1/24

      pfsense B
      tunnel 1 : 192.168.4.1/27  ->  192.168.1.1
      tunnel 2 : 192.168.4.128/27  ->  192.168.1.1

      I used same domain identifier for tunnel 1 and 2.

      It's no matter whether A is 1.0.1 or 1.2 beta1. But B should be 1.0.1 (snapshot) to make these two tunnel work.

      With 1.0.1 (snapshot), ping from 192.168.4.1 and 192.168.4.128 reaches to 192.168.1.1 simultaneously.

      With 1.2 beta1, ping from 192.168.4.1 and 192.168.4.128 reaches to 192.168.1.1 by turns. The second can reach to destination after first one fails.

      I think there are some changes in ipsec from 1.0.1 snapshot to 1.2 beta1. Can it be went back to 1.0.1 snapshot so that parallel multi network tunnel be available?

      Thanks

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Please try http://snapshots.pfsense.com/FreeBSD6/RELENG_1_2/updates/pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-25-2007.tgz

        1 Reply Last reply Reply Quote 0
        • S
          sbyoon
          last edited by

          Tested it again with the update. But the update could not fix this problem.

          1 Reply Last reply Reply Quote 0
          • S
            sbyoon
            last edited by

            Today I tested it with testing update dated on 5/27. But it couldn't fix the parallel tunnel problem as well.

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by

              Actually I wonder that this should have worked with one end being a mobile ipsec enabled node as you only can use one identifier for that end and you need unique identifiers for each tunnel so the two tunnels don't get mixed up. I never got parallel tunnels to work between non static endpoints with one end doing mobile ipsec, with no version of pfSense and no version of m0n0 either btw.

              1 Reply Last reply Reply Quote 0
              • S
                sbyoon
                last edited by

                Surprised!! Then, had nobody not succeeded in parallel ipsec tunnels with same idetifier?
                As I remember it was available from 1.0.1 version. And I've used.

                I made the test again with 1.0.1 snapshot to show you the evidence.

                <pfsense box="" a="">1.2 Beta1
                Wan IP: 192.168.2.198
                LAN IP: 192.168.1.1/24
                Enabled "Allow mobil clinet"
                Identifier in Pre-shared kyes: test.com

                config.xml

                <ipsec><preferredoldsa><preferoldsa><enable><mobileclients><enable><p1><mode>aggressive</mode>
                <myident><myaddress></myaddress></myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>1</dhgroup>
                <lifetime><private-key><cert><authentication_method>pre_shared_key</authentication_method></cert></private-key></lifetime></p1>
                <p2><protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>0</pfsgroup></p2></enable></mobileclients>
                <mobilekey><ident>test.com</ident>
                <pre-shared-key>hhhhhh7777wwwwww</pre-shared-key></mobilekey></enable></preferoldsa></preferredoldsa></ipsec>

                <pfsense box="" b="">1.0.1 snapshot
                Wan IP: 192.168.2.197
                Lan IP: 192.168.4.1/24

                Tunnel 1: 192.168.4.1/27 -> 192.168.1.1/24  My Identifier(domain): test.com
                Tunnel 2: 192.168.4.128/27 -> 192.168.1.1/24  My Identifier(domain): test.com

                config.xml

                <ipsec><preferredoldsa><enable><tunnel><interface>wan</interface>
                <local-subnet><address>192.168.4.1/27</address></local-subnet>
                <remote-subnet>192.168.1.1/24</remote-subnet>
                <remote-gateway>192.168.2.198</remote-gateway>
                <p1><mode>aggressive</mode>
                <myident><fqdn>test.com</fqdn></myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>1</dhgroup>
                <lifetime><pre-shared-key>hhhhhh7777wwwwww</pre-shared-key>
                <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></lifetime></p1>
                <p2><protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>0</pfsgroup></p2>
                <descr><pinghost>192.168.1.1</pinghost></descr></tunnel>
                <tunnel><interface>wan</interface>
                <local-subnet><address>192.168.4.128/27</address></local-subnet>
                <remote-subnet>192.168.1.1/24</remote-subnet>
                <remote-gateway>192.168.2.198</remote-gateway>
                <p1><mode>aggressive</mode>
                <myident><fqdn>test.com</fqdn></myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>1</dhgroup>
                <lifetime><pre-shared-key>hhhhhh7777wwwwww</pre-shared-key>
                <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></lifetime></p1>
                <p2><protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>0</pfsgroup></p2></tunnel></enable></preferredoldsa></ipsec>

                After established these two tunnels, ping from 192.168.4.1 and 192.168.4.128 can reach to 192.168.1.1 simultaneously.

                I attached the images of Box A's SPD and Box B's Ipsec page.

                Now 1.2Beta1 cannot made these two tunnels even if I use different identifiers.

                Thank you.

                boxA.jpg
                boxA.jpg_thumb
                boxB.jpg
                boxB.jpg_thumb</pfsense></pfsense>

                1 Reply Last reply Reply Quote 0
                • S
                  sbyoon
                  last edited by

                  I tested it with pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007.tgz today. But the parallel tunnel is not available with the latest update too.

                  Pls Pls fix this problem. I think parallel tunnel is a very usful ipsec function.

                  Thank you.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post