IPSec lan-to-lan doesn't work after PfSense upgrade to 2.2

palu

maybe i found a solution, at least it worked for me:

in IPSEC Phase 1 -> Phase 1 proposal (Authentication)

use the external IP adress of your box as "My identifier" on both sides

it seems the preshared key will not be matched correctly if "my identifier" is set to "my IP Adress"

i didn't use any FQDN's - just ip adresses everywhere

cheers,

palu

Riccardo90

Hi Palu,
Thanks for your suggestion, now the IPSec tunnel bring up, but no traffic is passing into the tunnel.

i setup the outbound NAT as automatic, but i cannot reach the remote site.

Riccardo

palu

Hi Riccardo,

hmmm, i can't verify since NAT is done in my DSL router, so i use "Manual Outbound NAT rule generation" in NAT section.

You could give "Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)" a try, and add a "no NAT" rule for your internal LAN to the target LAN.

Riccardo90

OK, it works, but this can be only a temporary workaround because i have some IPSec VPNs with dynamic IP addresses, so i cannot put the public IP in the "My Identifier" field, and, this workaround do not works with all the 3rd parties firewall, like Cisco Meraki etc…
:(.

i see on this forum that someone do not have any kind of issues with IPSec VPN, maybe something goes wrong during upgrade?

Riccardo

palu

i guess it will work with FQDN, too (if also used for preshared key so it can be matched), so you can use dynamic adresses.

just make shure preshared key identifier = my identifier in phase 1 proposal

mdima

mmmhhh… there is something wired.
It worked after I forced NAT-T in both nodes. But... if from one node I try to access the webconfigurator of the Main office pfsenes, that box just REBOOTS!! :S

This is veeeeery wired... I think I'm going to rollback to version 2.1.5 very soon! :(

Arthur

same probleme here !

ikev1 main mode
all ok with racoon (2.1.5) before  update to 2.2.

mdima

it was too bad, I had to roll-back both firewalls on the main office.

I mean, the VPN was working, not so stable as on version 2.1.5 but was working, but the "I access the webconfigurator from a remote node and I crash the system" was too much for a production environment. :(

Clouseau

Try on 2.2 to set Phase 1 Key Exchange version to auto. It helped me to get the other end back.

Riccardo90

Tonight i decided to rollback the pfsense configuration to 2.1.5 and i think to do not upgrade 'till the issue with VPNs will be solved.

Personally, i don't know why they decided to replace racoon with another service that is causing a lot of issues with VPNs, racoon works very well!…

Riccardo

Clouseau

2.2 <=> 2.2 works with IKEv2.
2.1.5 <=> 2.2 Dont work at all with IKEv1 Confirm!

So far ipsec with strogSwan has been like using ALPHA release. Sorry to say this, but I have also a lot of troubles with ipsec with version 2.2-RELEASE. Mobile VPN works only with IP identifier, site-to-site wont work at all between 2.1.5 - 2.2.

IPSEC must ge a lot of attention now - this feels like we have pfSense's "Vista" here!

Version 2.2.1 must be here tomorrow? :-X

JoelLinn

@Riccardo:

Tonight i decided to rollback the pfsense configuration to 2.1.5 and i think to do not upgrade 'till the issue with VPNs will be solved.

Personally, i don't know why they decided to replace racoon with another service that is causing a lot of issues with VPNs, racoon works very well!…

Riccardo

Because racoon is outdated like shit and does not support state of the art mobile connections. I has it's own bugs which could be worked around "easily" fiddling with the config.
Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.

Thale

@JoelLinn:

Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.

Could be, but I didn't see the problem in 2.2-RC with a 12-9-2014 build.  After upgrading 1 of the 2 routers in a dual-wan CARP test, however, I can never establish a connection with the 2.2-RELEASE router but when it fails over to the 2.2-RC router IPSEC works.

Clouseau

Because racoon is outdated like shit and does not support state of the art mobile connections. I has it's own bugs which could be worked around "easily" fiddling with the config.
Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.

Yes - racoon might be outdated like shit, but strongSwan is buggy like Flash. I rather work with one working back end with it's known limitations rather than all around buggy back end with numerous problems. Look at this forum - it's full of mysterious problems. If this would be done correctly - racoon should be here as one ipsec default core and strongSwan as option. Jimp and Ermal has done a lot effort to get 2.2 out, but this ipsec part seem to be epic failure. Ipsec is so important part of pfSense that community of pfSense should fix this fast - I mean FAST!

!!! Now DO NOT UPDATE TO 2.2 IF YOU USE IPSEC !!!!!

It will be catastrophic failure in operative use!

eri--

Please do not hijack threads of others.
Solve your problems on your posts.

JoelLinn

To come back to the problem, if the tunnel is up but no traffic is coming through, can you further specify it?
Is there only some traffic (like small ping packets) that get through or is it nothing at all.
Because I experience a problem where fragmented packets get lost. https://forum.pfsense.org/index.php?topic=87610.0
Maybe you want to perform similar analysis to confirm that your current problem is similar or not.