IPSec unstable since upgrade to 2.2

cmb · Jan 31, 2015, 9:45 PM

It's a solution if the other side can change to IKEv2. That particular circumstance with multiple P2s and IKEv1 is exactly the one noted in the upgrade guide for which you shouldn't upgrade. IKEv2 has no such issues though.

reesesm2000 · Feb 1, 2015, 2:52 AM

Thanks Doc and cmb. Have put in a request to change to IKEv2. Will update the thread once it is done.

eri-- · Feb 2, 2015, 8:54 AM

Can you also try this change.

On /var/etc/ipsec/strongswan.conf

change this value
threads = 16

to
threads = 1

and see if that stabilizes it.

reesesm2000 · Feb 2, 2015, 10:35 AM

Changed to 1 thread and restarted ipsec. Will monitor. Version still IKEv1. Waiting for our provider to change to confirm if they support v2 and if they can change.

georgeman · Feb 2, 2015, 1:24 PM

@reesesm2000:

Changed to 1 thread and restarted ipsec. Will monitor. Version still IKEv1. Waiting for our provider to change to confirm if they support v2 and if they can change.

Consider that the config file is generated automatically when the service is restarted through the GUI, make sure that the change you made is really applied

reesesm2000 · Feb 2, 2015, 5:29 PM

Hi Georgeman

So the config reverted back to 16. How do I restart it without the config being rebuilt?

cmb · Feb 2, 2015, 5:48 PM

@reesesm2000:

So the config reverted back to 16. How do I restart it without the config being rebuilt?

You can edit /etc/inc/vpn.inc to change the source that generates that config file.

I'm not sure that'll do much if anything for you, that's something I'll test out in a known-problematic circumstance and see if it helps. If you can get the other end to switch to IKEv2, that's preferable in general (even if v1 wasn't problematic), so that's still the best option if it can be done.

reesesm2000 · Feb 2, 2015, 8:02 PM

Changing to IKEv2 does not help. I am still able to only have 1 Phase 2 route working at the same time. Which one depends on which gets traffic first.

I think the only solution is to fall back to 2.1.5 for now. IPSec seems quite broken for now.

cmb · Feb 3, 2015, 12:06 AM

@reesesm2000:

Changing to IKEv2 does not help. I am still able to only have 1 Phase 2 route working at the same time. Which one depends on which gets traffic first.

One caveat that may be causing you issues in this circumstance, if you hit the + to the right of a P2 in 2.2 to create a new one based on an existing, it wrongly uses a duplicate ID, which might create problems along those lines. If you still have it up, delete all your P2s, and add them back one by one without duplicating any of them.

Outside of that circumstance, what you're describing isn't possible with IKEv2 as it doesn't have multiple child SAs, if one is up they're all up.

reesesm2000 · Feb 3, 2015, 5:21 AM

Hi cmb

I did use the + originally so I removed everything and redefined it again. The same problem persists. Attached are screen shots of the config and status. IKEv2 is configured on both ends. 2 Phase 2 entries and only 1 will work at a time. Which one depends on which send traffic first.

![IPSec CFG-V2.png](/public/imported_attachments/1/IPSec CFG-V2.png)
![IPSec Status - V2.png](/public/imported_attachments/1/IPSec Status - V2.png)
![IPSec CFG-V2.png_thumb](/public/imported_attachments/1/IPSec CFG-V2.png_thumb)
![IPSec Status - V2.png_thumb](/public/imported_attachments/1/IPSec Status - V2.png_thumb)

eri-- · Feb 3, 2015, 9:03 AM

Can you show your /var/etc/ipsec/ipsec.conf?

reesesm2000 · Feb 3, 2015, 9:33 AM

Sent you a PM with the details ermal.

eri-- · Feb 3, 2015, 1:22 PM

All firewall rules are correct?
If yes than can you please execute from diagnostic->command sysctl net.inet.ipsec.debug=0xffffff

Establish the vpn send traffic on the not working path and see if anything comes out on dmesg -a command?

sierrabravo · Feb 3, 2015, 2:32 PM

Hi @All

i have a similar problem after upgrade to 2.1.5 to 2.2 in one of my pfs boxes.
Previous ipsec tunnel between these 2 boxes (with P1 both aggressive mode) works perfectly
Please note that both PFSs are BEHIND a firewall

After upgrade, old confs do not work anymore. No connection, P1 never established. Only this error on PFS 2.1.5 -> "ERROR: phase1 negotiation failed due to time up"

After a lot of attemps, I finally found a working configuration.

My actual confs, BOLD main changes after upgrade in OfficeB's PFS

Office A - pfs 2.1.5
P1
Mutual PSK
Main Mode (was aggressive)
My Identifier -> My IP Address
Peer Identifier -> Peer IP Address
Enc Alg AES 256Bit
Hash Alg SHA1
DH KeyGroup 2 (1024bit)
Lifetime 28800

Nat-T DISABLE <- leave to ENABLE do not work, P1 established, P2 maybe (sorry, I don't remember)
DPD Enabled (10 Secs,5 retries)

(two P2 phases)
P2 Protocol ESP
P2 Transforms 3DES
P2 Auth Methods MD5,SHA1
PFS key group OFF
Lifetime 3600

Office B - pfs 2.2
P1
Key Exchange Version -> V1
Mutual PSK
Main Mode (was aggressive)
My Identifier -> My IP Address
Peer Identifier -> IP Address -> 192.168.46.10 <– this is WAN IP address of OfficeA PFS
Enc Alg AES 256Bit
Hash Alg SHA1
DH KeyGroup 2 (1024bit)
Lifetime 28800

Nat-T AUTO
DPD Enabled (10 Secs,5 retries)

(two P2 phases)
P2 Protocol ESP
P2 Transforms 3DES
P2 Auth Methods MD5,SHA1
PFS key group OFF
Lifetime 3600

This was a message on PFS 2.2 box that give me an hint:

charon: 15[IKE] IDir '192.168.46.10' does not match to 'XX.XXX.XX.XXX'

XX.XXX.XX.XXX is public IP address of officeA ( Remote Gateway in OfficeB conf)

I hope this can be helpful for someone else

Simone

eri-- · Feb 3, 2015, 4:05 PM

Or on pfSense 2.2 you have to set the proper identifier by choosing ip address and setting the private ip address of pfSense on the remote end.

@sierrabravo,

your example is a clear id mismatch problem on configuration.

cmb · Feb 3, 2015, 10:50 PM

Adding this from another thread since it's been the root cause of a few issues and seemingly the ones in this thread as well.

One relevant change in behavior we've seen is racoon didn't seem to care whether the ID it was sent matched if it had a match for the IP where the traffic was actually being originated. So for instance if you have the remote end behind NAT set to use "My IP Address" for its identifier, it puts the private WAN IP in there as its identifier. racoon would still find it by matching the public IP where the request was initiated (probably technically incorrect). But strongswan has to find a match to the ID being sent by the other side, it won't fall back to "eh, you're coming from X IP and I have a match there, so that's good enough."

reesesm2000 · Feb 4, 2015, 3:01 AM

All firewall rules are correct?

I am fairly sure they are since either Phase 2 will work without me changing anything just depending on which one I initiate traffic over first. Send a ping via Phase 2 No1 and it is active and working and No2 is not. Only shows Bytes In and No Bytes Out. Send a ping via Phase 2 No2 first and it works with No1 failing and showing Bytes In and no Bytes Out.

sysctl net.inet.ipsec.debug=0xffffff and dmesg -a

This produced no difference in the output before or after trying to send traffic on the failed route or after restarting ipsec.

eri-- · Feb 4, 2015, 9:16 AM

Ok the last thing to verify is if you see the packets with tcpdump/packet capture on enc0 interface on both cases be it receiving a reply or not.
If you can see both ping requests through enc when sending traffic but not receive reply would mean some issues with phase2 to be looked at.

reesesm2000 · Feb 5, 2015, 8:47 AM

Thanks everyone for all the help but in the end I am going to have to go back to 2.1.5. 2.2 is just not ready. I have 3 show stoppers that I see no resolution for:

Unable to boot with Error Code = 19 although I am able to format and install it just fails to boot. (This is a new SuperMicro D525 so should work)
More than 1 Phase 2 in a IPSec Site to Site will not work on either IKEv1 or IKEv2.
IPSec traffic regularly stops and the only solution is to bounce the connection.

MichelZ · Feb 5, 2015, 8:53 AM

I am getting to the same conclusion, I think. Hoping for a 2.2.1 soon which hopefully fixes some of those issues :(