Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot get multiple phase 2 to work on site-to-site (pfsense 2.4.4), connection to AWS

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 789 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V Offline
      VPTechnik
      last edited by VPTechnik

      Hello
      We are preparing an new comp unit running pfSense 2.4.4, to replace our old Cisco firewall and router. After setting up IPSec with two P2 entries, everything works fine. The phase 1 gets connected to AWS and the packets for the remote subnet 10.10.0.0 are routed properly. Problems occur as soon, as we define another P2 subnet to be routed (remote subnet 10.20.0.0 in the bottom graphic, currently disabled). This additional P2 entry is a copy of the other one, just with changed remote subnet. As soon as the currently disabled one will be activated the other tunnels get stucked or loose connection. We checked this with a continues ping. It seems that multiple phase 2 entries and there routes are interfering.

      0_1539877266198_5bc8f8af-9815-47f3-8348-dfd63de17f92-image.png

      As I have have read, something similiar occured in an older pfSense version (2.2). In some other cases I've read, using the IKEv2 shouldn't have such issues. As Amazon AWS pretend to use IKVEv1, what other options we have to get this up and running? Or is it probably a (reappeared) bug?

      Does somebody else have a connection running with IKEv1 and multiple Phase 2 entries to Amazon AWS?

      Thanks in advance
      Patrick

      oklordO 1 Reply Last reply Reply Quote 0
      • oklordO Offline
        oklord @VPTechnik
        last edited by

        @vptechnik Getting the same issue

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          AWS doesn't allow that many P2s. They will disconnect old ones as new ones over the limit try to establish.

          Switch to VTI and use BGP to route whatever you want over a single VTI P2 entry.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • V Offline
            VPTechnik
            last edited by

            Thank you very much for your suggestion. I've reconfigured the tunnel to use VTI and since some days it stays quite stable. The routing seems to work fine for all subnets.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.