Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense 2.3.2 - problem with multiple phase2 in one connection

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      seal
      last edited by

      I have problem with ipsec - i have scenario:

      remote VPN - StrongSWAN 5.3.3 on openwrt - connections in ipsec.conf:

      conn general
        keyexchange=ikev2
        right=31.XXX.XXX.XXX
        left=193.XXX.XXX.XXX
        authby=secret
        esp=aes256-sha1
        ike=aes256-sha1-modp1536
        keylife=8h
        ikelifetime=24h

conn general_net1
        rightsubnet=192.168.XXX.XXX/32
        leftsubnet=193.XXX.XXX.XXX/26
        also=general
        auto=route

conn general_net2
        rightsubnet=192.168.XXX.XXX/32
        leftsubnet=192.168.XXX.XXX/21
        also=general
        auto=route

conn general_net3
        rightsubnet=192.168.XXX.XXX/32
        leftsubnet=172.XXX.XXX.XXX/22
        also=general
        auto=route

      on pf sense i made via web one connection between IPSec endpoints and in this connection phase 2 for everyone pair of addresses (as shown above).

      When configuration is applied first traffic brig up phase1 and one of phase2 what is first, other are not initiated - in status i see always only one phase2 - active.
      Traffic for second phase2 makes that pfsense replaces SA for this ISAKMP - should be active two SA but active is only one - with the newest traffic.

      I see that can be a problem how pfsense make config file for ipsec - it connects all IpsecSA in one SA - generated file on my pfSense:

      
conn con1
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = no

	rekey = yes
	installpolicy = yes
	type = tunnel
	dpdaction = restart
	dpddelay = 10s
	dpdtimeout = 60s
	auto = route
	left = 193.XXX.XXX.XXX
	right = 31.XXX.XXX.XXX
	leftid = 193.XXX.XXX.XXX
	ikelifetime = 86400s
	lifetime = 28800s
	ike = aes256-sha1-modp1536!
	esp = aes256-sha1, [...]
	leftauth = psk
	rightauth = psk
	rightid = 31.XXX.XXX.XXX
	rightsubnet = 192.XXX.XXX.XXX
	leftsubnet = 172.XXX.XXX.XXX/22,192.XXX.XXX.XXX/21,193.XXX.XXX.XXX/26

      i think that pfSense should produce new conn in file for every SA

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        To me that looks like a problem with the way the DDWRT is configuring itself.

        Try enabling Split Connections on the IKEv2 Phase 1 on the pfSense side.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S Offline
          seal
          last edited by

          Config on my side - openwrt was made by me - i prefer to make networks as separate SA because managing is for me better.

          Split connection is ok - after this works well but in status is strange. - attached status.

          The main connection is as disconnected but appear new without name and this new have SA .

          screen.png
          screen.png_thumb

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.