IPSec unstable since upgrade to 2.2

eri--

Can you show your /var/etc/ipsec/ipsec.conf?

reesesm2000

Sent you a PM with the details ermal.

eri--

All firewall rules are correct?
If yes than can you please execute from diagnostic->command sysctl net.inet.ipsec.debug=0xffffff

Establish the vpn send traffic on the not working path and see if anything comes out on dmesg -a command?

sierrabravo

Hi @All

i have a similar problem after upgrade to 2.1.5 to 2.2 in one of my pfs boxes.
Previous ipsec tunnel between these 2 boxes (with P1 both aggressive mode) works perfectly
Please note that both PFSs are BEHIND a firewall

After upgrade, old confs do not work anymore. No connection, P1 never established. Only this error on PFS 2.1.5 -> "ERROR: phase1 negotiation failed due to time up"

After a lot of attemps, I finally found a working configuration.

My actual confs, BOLD main changes after upgrade in OfficeB's PFS

Office A - pfs 2.1.5
P1
Mutual PSK
Main Mode (was aggressive)
My Identifier -> My IP Address
Peer Identifier -> Peer IP Address
Enc Alg AES 256Bit
Hash Alg SHA1
DH KeyGroup 2 (1024bit)
Lifetime 28800

Nat-T DISABLE <- leave to ENABLE do not work, P1 established, P2 maybe (sorry, I don't remember)
DPD Enabled (10 Secs,5 retries)

(two P2 phases)
P2 Protocol ESP
P2 Transforms 3DES
P2 Auth Methods MD5,SHA1
PFS key group OFF
Lifetime 3600

Office B - pfs 2.2
P1
Key Exchange Version -> V1
Mutual PSK
Main Mode (was aggressive)
My Identifier -> My IP Address
Peer Identifier -> IP Address -> 192.168.46.10 <– this is WAN IP address of OfficeA PFS
Enc Alg AES 256Bit
Hash Alg SHA1
DH KeyGroup 2 (1024bit)
Lifetime 28800

Nat-T AUTO
DPD Enabled (10 Secs,5 retries)

(two P2 phases)
P2 Protocol ESP
P2 Transforms 3DES
P2 Auth Methods MD5,SHA1
PFS key group OFF
Lifetime 3600

This was a message on PFS 2.2 box that give me an hint:

charon: 15[IKE] IDir '192.168.46.10' does not match to 'XX.XXX.XX.XXX'

XX.XXX.XX.XXX is public IP address of officeA ( Remote Gateway in OfficeB conf)

I hope this can be helpful for someone else

Simone

eri--

Or on pfSense 2.2 you have to set the proper identifier by choosing ip address and setting the private ip address of pfSense on the remote end.

@sierrabravo,

your example is a clear id mismatch problem on configuration.

cmb

Adding this from another thread since it's been the root cause of a few issues and seemingly the ones in this thread as well.

One relevant change in behavior we've seen is racoon didn't seem to care whether the ID it was sent matched if it had a match for the IP where the traffic was actually being originated. So for instance if you have the remote end behind NAT set to use "My IP Address" for its identifier, it puts the private WAN IP in there as its identifier. racoon would still find it by matching the public IP where the request was initiated (probably technically incorrect). But strongswan has to find a match to the ID being sent by the other side, it won't fall back to "eh, you're coming from X IP and I have a match there, so that's good enough."

reesesm2000

All firewall rules are correct?

I am fairly sure they are since either Phase 2 will work without me changing anything just depending on which one I initiate traffic over first. Send a ping via Phase 2 No1 and it is active and working and No2 is not. Only shows Bytes In and No Bytes Out. Send a ping via Phase 2 No2 first and it works with No1 failing and showing Bytes In and no Bytes Out.

sysctl net.inet.ipsec.debug=0xffffff and dmesg -a

This produced no difference in the output before or after trying to send traffic on the failed route or after restarting ipsec.

eri--

Ok the last thing to verify is if you see the packets with tcpdump/packet capture on enc0 interface on both cases be it receiving a reply or not.
If you can see both ping requests through enc when sending traffic but not receive reply would mean some issues with phase2 to be looked at.

reesesm2000

Thanks everyone for all the help but in the end I am going to have to go back to 2.1.5. 2.2 is just not ready. I have 3 show stoppers that I see no resolution for:

Unable to boot with Error Code = 19 although I am able to format and install it just fails to boot. (This is a new SuperMicro D525 so should work)
More than 1 Phase 2 in a IPSec Site to Site will not work on either IKEv1 or IKEv2.
IPSec traffic regularly stops and the only solution is to bounce the connection.

MichelZ

I am getting to the same conclusion, I think. Hoping for a 2.2.1 soon which hopefully fixes some of those issues :(

eri--

If you would be able to test this last tweak.

Just disable reauthentication on the phase1 advanced settings so only a normal rekey is performed rather than a full reauthentication.

reesesm2000

This change has made no difference. If anything I think it is worse. There are now Phase 2 routes in the status that are not in the configuration. IPSec (Strongswan) is truly broken. Really sad as pfSense was a great product before 2.2.

I have looked for the 2.1.5 download but I cannot find it. Anyone know where I can find it before I have to switch to a different product?

MichelZ

That's what backup are for :)

reesesm2000

I have a config backup but not the install since I installed a version some revisions back. I could put that one up and spend time going from one version to the next or just install IPCop with the latest stable release. Since 2.2 is not a stable release there should be at least 1 version back available for download.

doktornotor

@reesesm2000:

there should be at least 1 version back available for download.

http://files.nyi.pfsense.org/mirror/downloads/

twaldorf

I have also trouble with IPSec since upgrading from 2.1.5 to 2.2

My problem is that most of the tunnels are going down after the phase 1 lifetime expires. Restart of IPSec service does not help. I have to restart the whole firewall. After reboot all tunnels coming up automatically until again phase 1 lifetime expires…

Have anybody some idea?? THANKS!!

reesesm2000

http://files.nyi.pfsense.org/mirror/downloads/

Thanks doc.

twaldorf, I found this happening too. Most of the time the phase 2 would come up after disconnecting and reconnecting the Phase 1. Note that if you have more than 1 Phase 2, only one of them will actually work even though the other show as up. Have you tried stopping and starting IPSec itself? Not just the Phase 1. I also use that a few times each day to get the link working again. I had to merge a few of my ip ranges at the various offices around the world to use a single range so that I could delete all the Phase 2s except 1.

twaldorf

@reesesm2000

I restarted the whole IPSec service. That didn't help. Also all (!) my tunnels have more than 1 phase 2, but only some of them are going down after phase 1 lifetime expires. For me it is no solution to reduce the number phase 2 because we have also an OpenVPN server running and want to allow all OpenVPN users to use the IPSec connections which is only possible if you tunnel the OpenVPN range to a second phase 2 in IPSec.

twaldorf

I just noticed something! The tunnels which are going down after phase 1 lifetime expires have ENABLED dead peer detection. The ones which are still alive after phase 1 lifetime expires have it DISABLED !

So it could be that there is an issue with DPD in pfSense 2.2 ???

MichelZ

DPD is already disabled on all my tunnels