[CLOSED - Can't reproduce] IPSec using alias IP instead of WAN IP
-
My phase I uses the WAN interface, wish has the .81 IP assigned to it. My .81 IP isn't used for any IP Alias or anything else. When looking my ipsec.conf I see the .83 as the left interface IP, so assume the appliance is getting the WAN on Phase I and translating to .83 - one of the IP Alias.
I did try to create a IP Alias for the .81 to have it on the selection for the Phase I, but it don't seem to be allowed (maybe also wrong).
Hope I have answered your question.
Will PM a screen shot with the options I have.
Please be careful with my Public IPs and domain :)
I can setup a conference call and share screen so you can see. -
I was asking if you deliberately set IPsec to use .82, does it configure IPsec to use .82? You would just select the VIP in the interface selection you showed.
I understand that you are seeing .83 in the config even though you should be seeing .81.
You should not try to create a VIP for .81 nor should you have to. .81 is the interface address.
-
No, haven't set my IPSec to .82. It is set to WAN you per pics sent.
-
Can you try it?
-
When setting to .82, IPSec tried to connect with it:
04[NET] sending packet: from x.x.x.82[500] to 24.x.x.79[500]
Changing back to WAN, it's back to .83:
04[NET] sending packet: from x.x.x.83[500] to 24.x.x.79[500]
-
That is really very strange. I didn't see anything in your config that would cause that. It's fairly straightforward. I will try to duplicate it here. Not sure how long that will take.
-
Doing some tests, removed my IP Alias, disabled/enabled my Phase I, and the left IP was correct. Tried to connect and it did:
I've added my IP Alias back/disconnected/reconnected fine.
Disabled/re-enabled with the IP Alias configured and again, the left IP on my ipsec.conf is back to the 2nd IP Alias (my .83).
Could it be something on ipsec_get_phase1_src?
-
Probably not. But if you have a definitive set of steps to reproduce it can be looked at.
-
Steps:
- Removed IP Alias
- Disabled/Enabled IPSec Phase I
- IPSec tunnel connected
- Added IP Alias
- Disconnected/reconnected tunnel -> OK
- Disabled/Enabled IPSec Phase I
- Tried to connect IPSec -> Using wrong IP, so not connected
Also:
- Today I decided to do a fresh install with:
Version 2.4.3-RELEASE (amd64)
built on Mon Mar 26 18:02:04 CDT 2018
FreeBSD 11.1-RELEASE-p7- Restored my config and IPSec is connecting
- Will update to 2.4.3_1 and report.
-
Here's the results:
--- Started update ---
Updating repositories metadata...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
done.
pfSense repository is up to date.
All repositories are up to date.
2.4.3_1 version of pfSense is available
Downloading upgrade packages...
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
Checking for upgrades (9 candidates): ......... done
Processing candidates (9 candidates): ......... done
The following 8 package(s) will be affected (of 0 checked):Installed packages to be UPGRADED:
sqlite3: 3.21.0_1 -> 3.22.0_1 [pfSense]
pfSense-rc: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense-kernel-pfSense: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense-default-config: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense-base: 2.4.3 -> 2.4.3_1 [pfSense-core]
pfSense: 2.4.3 -> 2.4.3_1 [pfSense]
perl5: 5.24.3 -> 5.24.4 [pfSense]
libnghttp2: 1.29.0 -> 1.31.1 [pfSense]Number of packages to be upgraded: 8
67 MiB to be downloaded.
[1/8] Fetching sqlite3-3.22.0_1.txz: .......... done
[2/8] Fetching pfSense-rc-2.4.3_1.txz: .. done
[3/8] Fetching pfSense-kernel-pfSense-2.4.3_1.txz: .......... done
[4/8] Fetching pfSense-default-config-2.4.3_1.txz: . DoneSystem update failed!
--- Update ended with errors ---
- System rebooted and shows:
Version 2.4.3-RELEASE-p1 (amd64)
built on Thu May 10 15:02:52 CDT 2018
FreeBSD 11.1-RELEASE-p10-
IPSec status shows connected ...
-
Failing update have been reported by several users, so not new
-
Can't reproduce after freshly installing for a second time -- please note the previous installation was fresh and config restored as well.
-
I'm closing this as can't reproduce -- please let me know if is there anything else I can test for you guys.
-