VPN between two 2.2.1 (alix and esxi based) - Not stable
-
Hello,
I have some stability problems with many IPSec tunnels I have from my central ESXi gateway (which has multiple phase2 tunnels).
What happen is that the tunnels comes up, but then no traffic can be exchanged inside, and when I look in the IPSec status page, I can see a loooot of phase2 duplicates. So I read the forum, and I did add a custom key like https://forum.pfsense.org/index.php?topic=91627.0 suggests.
net.key.preferred_oldsa = 0Today I restarted the central gateway and the tunnels were working nice again … but for how long?
I came across a log message which I cannot explain, which could be related to my problems?
Jun 19 09:20:48 charon: 03[CFG] trap not found, unable to acquire reqid 19833 Jun 19 09:20:48 charon: 03[KNL] creating acquire job for policy A.B.C.D/32|/0 === E.F.G.H/32|/0 with reqid {19833}This is what I got when I was trying to ping the other end after having reset the IPSec tunnel through the "IPSec Status" page.
I'd like to debug this and have more stable tunnels, but so far I can't find what to do … Any help is much appreciated.
-
Grab the latest 2.2.3 snapshot for any and all IPsec usage. Debugging known-to-be superbuggy 2.2.1's IPsec is a pure waste of time.
-
Thank you for your answer.
Since these are production firewalls, I don't fancy installing a beta or RC.
But I could install a 2.1.5 or 2.2.2 release. What do you think would be my best option (besides waiting for the 2.2.3 to become a stable release)?
-
https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes#IPsec
https://doc.pfsense.org/index.php/2.2.3_New_Features_and_Changes#IPsecNot really sure what else to suggest here. The older 2.2 version, the more buggy IPsec.
-
Well I'll wait till 2.2.3 is released as a stable version then :)