IPsec MikroTik <–> pfSense 2.2 broken

georgeman

Alright, I modified /etc/inc/vpn.inc so the generated strongswan.conf gets an explicit list of plugins to load:

# Automatically generated config file - DO NOT MODIFY. Changes will be overwritten. 
starter {
load_warning = no
}

charon {
load = charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke smp updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
# number of worker threads in charon
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000
install_routes = no
{$i_dont_care_about_security_and_use_aggressive_mode_psk}
{$accept_unencrypted}
# cisco_unity = {$unity_enabled}
{$ifacesuse}

# And two loggers using syslog. The subsections define the facility to log
# to, currently one of: daemon, auth.
syslog {
	identifier = charon
	# default level to the LOG_DAEMON facility
	daemon {
	}
	# very minimalistic IKE auditing logs to LOG_AUTHPRIV
	auth {
		default = -1
		ike = 1
		ike_name = yes
	}
}

EOD;

I got that list from the regular list of loaded plugins from "ipsec statusall" but removed unity from it. Once unity is not loaded, the phase2 settings are not automatically changed anymore and everything works fine.

I am not sure if this is the proper way to handle it, but I seriously needed this to work right away. Feedback is appreciated.

Conclusions from all these:

• The unity plugin is the culprit (probably worth reporting and/or fixing upstream)
• pfSense is not properly disabling the unity plugin

Best regards!!

cmb

It does set "cisco_unity = no" in strongswan.conf when you disable it, which should be adequate, but sounds like that's not enough to fix that problem.

Hopefully with your Mikrotik config there I'll be able to replicate it now. Added note to the still-open bug on this.
https://redmine.pfsense.org/issues/4178

eri--

Can you also please do a test by choosing another modp than 1024 on both phase1 and phase2?

abidkhanhk

Hi,

I am also having same issue, only the 1st entry of the P2 connected and rest dont work

the Tunnels are between 2 PFboxes,

at first i thought it was because tunnel from 2.1.5 were not compatible with 2.2 and created new ones

tried the following

• changed IKE to all three modes V1, V2 and Auto,
• disabled Unity option in advanced menu
• Changed PFS to off and other options

both boxes are upgraded to 2.2 release.

Regards
Abid

georgeman

@hongkonger: that is not the same issue

@ermal: I tried the following combinations of ph1 / ph2 and all of them behave in the same way when the unity plugin is loaded, as described before:

modp1024 / none
modp768 / none
modp768 / modp768
modp2048 / none
modp2048 / modp2048
modp1536 / modp768
modp768 / modp1536

eri--

Do all tunnels have the same subnets specified on phase2?

georgeman

I forgot to mention that I tested with only one phase1 and one phase2 on both sides.

Best regards

zueri

Sorry to warm up this topic.

Is there any news on this? I've updated to 2.2.1 last week and am facing the same issues. Switch Mikrotik to passive helped but it is not realy a good solution for me (Mikrotik should be Initiator in my case).

cmb

The unity bug that was the source of OP's issue was fixed/worked around in 2.2.1. If you check the "disable unity" checkbox on the advanced tab, it'll prevent that from being an issue.

@zueri:

Is there any news on this? I've updated to 2.2.1 last week and am facing the same issues. Switch Mikrotik to passive helped but it is not realy a good solution for me (Mikrotik should be Initiator in my case).

That definitely sounds the same as OP's issue, disable unity.

pfoerster

This post is deleted!