Migrating from 1.2.3 to 2.0rc3 problem

fudge

Hello Jimp,

I understand and appreciate your position.  Unfortunately I've had to go back to 1.2.3 and will not be in a position to try 2.0 for a couple of weeks (in October).  I'm keen to work this problem out though so I'll let you and others know when I next get a chance to see what is happening.

bdani

Hi guys!

I tried from pf 1.2.3 to 2.0rc3 configuration backup / restore to migrate, but it received a nasty message …:

"The following input errors were detected:

The configuration could not be restored.

"

I try with Restore area changes but nothing happened... (after reboot too)
What can I do?
one by one set that up the rules, configs? :O  ???

best wishes

jimp

http://doc.pfsense.org/index.php/Upgrade_Guide
http://doc.pfsense.org/index.php/Upgrade_Guide#International.2FSpecial_Characters_in_1.2.x_Configs

fudge

Hi Jimp and All.  I'm back and have a few quiet days of being able to work through this issue.  The VPN between my two data centres will not be needed so I'm keen to dig in and figure this out.

I've just installed the 2.0 release and have been working on this to see if it'd work but alas, no.  My tunnel target is a Fortigate 200B and the settings there have not changed.  The current error I'm seeing is "ERROR: notification NO-PROPOSAL-CHOSEN".  There are a few more ph1 options in 2.0 so I'm not sure what needs to be matched up for things to line up.  I'll keep reading, playing but assistance and guidance would be appreciated.

Thanks

fudge

I think I've found a bug in the web config for phase 2.  If selecting PFS key group 5, what ends up in /var/etc/racoon.conf is 2, not 5.  I now have a VPN working :)

jimp

I just tried this out and that is most definitely not the case. I select 2, save/apply, and 2 is in the config. I select 5, save/apply, and 5 is in the config.

So if you are changing to 5, then save/apply, and it's still set to 2, there is something else going on, perhaps it's not actually rewriting the config. But it's most certainly not writing the incorrect thing.

fudge

I've played a bit more with the link.  I can change the PFS group setting in my browser (Firefox 7.0.1 Linux) and it will remember the setting for the PFS key group, whether it's off, 1, 2 or 5.  However, there's nothing in the /var/etc/racoon.conf file which deviates from pfs_group 2.  I can change any other setting in phase 2 and it will be reflected in racoon.conf.  Only the pfs_group setting remains unchanged, weird.  At the tunnel target end, I now simply keep the PFS group to 2, just works.  It'd be good to know what's going on though.  Is there anything I can do to help understand what's going on?

jimp

Go to Diagnostics > Commands, in the PHP exec box and put in:

var_dump($config['ipsec']['client']);

Is there a pfs setting in there?

fudge

The following comes up:

array(3) {
  ["enable"]=>
  string(0) ""
  ["user_source"]=>
  string(6) "system"
  ["group_source"]=>
  string(6) "system"
}

jimp

ok, the only place I saw that could have possibly overridden the chosen pfs_group setting would have been in there. I don't see any other way that what you choose isn't ending up in the racoon.conf