IP Sec Issues with multiple P2 tunnels (only the first comes up)

Jason1320

I have searched this form, and many others, and this topic has come up before but I can't seem to find a resolution that works for me. I am able to make it work in the short-term, but when the IPSec service restarts it overwrites what I have done and breaks the tunnels again.

The problem seems to be in the /var/etc/ipsec.conf file and how it is generated by vpn.inc, unfortunately I'm not good with PHP and the code provided in the following link does not work for me.

https://forum.pfsense.org/index.php?topic=85429.0

If I edit /var/etc/ipsec.conf to use multiple conn entries and then restart ipsec from the command line all of my tunnels come up fine.  But, If I restart IP sec from the GUI or reboot the firewall the file is regenerated and I loose my changes.

I'm not sure what changed in the code from 2.1 to 2.2+ but the ipsec.conf file as it is currently generated by vpn.conf does not work for IKEv2 with multiple P2 tunnels.

Am I missing something obvious?

cmb

The thread you linked hasn't been relevant to any release version, don't follow any instructions from beta troubleshooting/development. The config that's generated in every release version is correct.

Are you connecting to a Cisco ASA on the other side? That'd be a Cisco bug/lacking feature. We have a ticket open to implement a workaround at some point. https://redmine.pfsense.org/issues/4704

Jason1320

Sonicwall 4500 (SonicOS 5.8.1.5)

Call it what you like, but if I can modify a FPS generated config file and get the desired result the bug/lacking feature is on the PFS GUI.

This works; Having all tunnels under conn con1 does not.

# This file is automatically generated. Do not edit
config setup
	uniqueids = yes
	charondebug=""

conn bypasslan
	leftsubnet = 10.160.52.0/24
	rightsubnet = 10.160.52.0/24
	authby = never
	type = passthrough
	auto = route

conn con2
	also=con1
	rightsubnet=10.12.0.0/16
	auto=start

conn con3
	also=con1
	rightsubnet=10.20.1.0/24
	auto=start

conn con1
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = no
	rekey = yes
	installpolicy = yes
	type = tunnel
	dpdaction = none
	auto = route
	left = <publicip>right = <publicip>leftid = <publicip>ikelifetime = 28800s
	lifetime = 28800s
	ike = 3des-sha1-modp1024!
	esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
	leftauth = psk
	rightauth = psk
	rightid = <publicip>rightsubnet = 172.17.0.0/16
	leftsubnet = 10.160.52.0/24</publicip></publicip></publicip></publicip> 

cmb

Haven't heard of that with Sonicwall, but apparently they've broken/don't support multiple TS in same TS payload either. The config is 100% correct as generated for the proper IKEv2 usage. One of the benefits of IKEv2 is not needing multiple child SAs for such circumstances. At least for proper implementations of it.

In /usr/local/www/vpn_ipsec_phase1.php, take out this chunk of input validation:

	if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
		$t = 0;
		foreach ($a_phase1 as $ph1tmp) {
			if ($p1index <> $t) {
				$tremotegw = $pconfig['remotegw'];
				if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
					$input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']);
				}
			}
			$t++;
		}
	}

Then add two P1s with one P2 on each. That's really what you're configuring there by splitting it to two conn entries.

That validation probably isn't really necessary, might just remove that to allow configs like this. Its intention is to prevent foot shooting, but there are potential circumstances like this where it works around issues with the remote end.