Deleting Duplicate IKE_SA on pfSense 2.2

dharrigan · Jan 30, 2015, 5:29 PM

Hello,

I have mobile users each having, say two devices. Each is trying to use an ipsec tunnel into a corporate network running pfsense 2.2.

I don't know where the clients may be or what networks they may be on.

What I'm finding is that one device of the user connects into the VPN successfully and a tunnel is established. However, if the other device of the user attempts to connect, it fails and even sometimes kicks the first device off.

It appears that I'm getting this "deleting duplicate IKE_SA for peer 'XXXX' due to uniqueness policy"

In pfSense 2.1 there was a way to set the uniqueness, but it doesn't seem to be exposed on pfSense 2.2. I see that in the ipsec.conf file, "uniqueids" is set to yes.

It's important for me that my mobile users, with multiple devices, can all connect to our corporate network. Is there a way around this, that doesn't seem to involve creating multiple user accounts for each device that the user may have?

Thank you very much :-)

-=david=-

eri-- · Jan 30, 2015, 7:52 PM

So your users have multiple devices behind NAT and they cannot resuse their user on another device cause it will disconnect them?

Can you try changing /var/etc/ipsec/ipsec.conf uniqeids = no and report if that fixes it?

dharrigan · Jan 30, 2015, 9:43 PM

Hello!

Hi, thanks for the reply. I'll give it a shot and see how it goes :-)

-=david=-

dharrigan · Jan 30, 2015, 10:29 PM

Hi,

My quick experimentation seems to show it working. I have in "config setup" the value "uniqueips = no" and was able to connect 3 devices behind my firewall (natted) directly into the corporate network successfully.

If I modify the ipsec.conf file directly (using vi), it gets overwritten by the web UI if/when I restart it via that means (or make any conf changes via the UI).

Perhaps, if tested a bit further and shown to work, could this "uniqueips" and its valid values be exposed as a dropdown on the UI please?

Thanks.

-=david=-

eri-- · Jan 31, 2015, 6:59 PM

The option will be on 2.2.1 RELEASE.
For now you can apply the patch manually https://github.com/pfsense/pfsense/commit/908edbd3d17a6fac747b6583322be9e547026f7f

dharrigan · Feb 1, 2015, 6:09 AM

Hi!

w00t! Thanks! Much appreciated :-)

-=david=-

dharrigan · Mar 28, 2015, 3:22 PM

Hi,

pfSense 2.2.1

I've been looking to test out this patch that was applied then came out with pfSense 2.2.1 - but it doesn't appear to set the value! :-(

VPN…IPsec...advanced settings...Configure Unique IDs as.

If I set as "no" and click apply, the value in /var/etc/ipsec/ipsec.conf remains as "uniqueips = yes".

Indeed, if I refresh the page, the NO changes to YES.

Am I doing something incorrect?

-=david=-

neurobashing · Mar 30, 2015, 6:27 PM

Same here!!

dharrigan · Apr 1, 2015, 8:53 AM

Hi,

This does appear to be a bug - how do I raise a bug report on this? (Redmine?)

-=david=-