PFSense 2.4.5-1 and Multi IPSEC
-
Hello
I have upgrade 3 pfsense from 2.4.4p3 to 2.4.5p1.
Before uprgade, I have 3 IPSEC link working perfectly since months.
Site1 to SIte2, Site1 to Site3, Site2 to Site3.As soon I upgrade the first firewall, the connexion wasn't able to be establish.
So I upgrade the 3 firewall.
I have try many things , check everything , and I identify a way to reproduce it at each time:My installation is, 3 pfsense hardware with same hardware, same software :
Site1, Site2, Site3.
I remove all ipsec configuration for my test.Main config is
- IKEv2, IPv4, Mutual PSK, KeyID Tag and simple password "123", of course I use remote gateway public Ip for each firewall.
Phase1 = AES128-GCM + 128 bits + SHA256 + DH14
all others parameters are default.
Now test cases
-
Step1
On site1, I create IPSEC Phase1 to site2
On site2, I create IPSEC Phase1 to site1
Start connexion = it works
stop/start 5 times => connexion result OK
keep connexion ON -
Step2
On site1, I create IPSEC Phase1 to site3
On site3, I create IPSEC Phase1 to site1
Start connexion -> it works
stop/start 5 times -> connexion result OK
keep connexion ON
=> if I stop site1-site2 connexion, it's no more possible to start it again !!
Logs give an error
Aug 6 15:26:46 charon 10[IKE] <con1000|22> received AUTHENTICATION_FAILED notify error
Aug 6 15:26:46 charon 10[ENC] <con1000|22> parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]Step3
On site3, I create IPSEC Phase1 to site2
On site2, I create IPSEC Phase1 to site3
Start connexion -> it works
stop/start 5 times -> connexion result OK
keep connexion ON=> if I stop site1-site3 connexion which is working in progress, it's no more possible to start it again !!
So for me there is a bug which don't allow to have to IPSEC connection.
This configuration works perfectly in the past with 2.4.4p3Is someone has already see this? an Idea?
best regards
Johan - IKEv2, IPv4, Mutual PSK, KeyID Tag and simple password "123", of course I use remote gateway public Ip for each firewall.
-
Sorry, I forget something:
On a firewall with 2 Ipsec link. The second created works. The first not working anymore.
If I remove the second , the first works again. -
Hello
more details today.
I find a workaround :
First step, disable all P1 ipsec configuration on each firewall.
Second step: changing the lifetime P1 to 1 year (31536000)
Enable conf Site1-Site2 on hardware 1
Enable conf Site1-Site2 on hardware 2
Connection autostart OK.
Enable conf Site1-Site3 on hardware 3
Disable conf Site1-Site2 on hardware 1 => not closing actual connection !! let it working even if you disable configuration
Enable conf Site1-Site3 on hardware 1
Connection autostart OK.
Enable conf Site1-Site2 on hardware 1
Now the 2 tunnels are ON on hardware 1=> made the same strategy on 2 others firewall , all tunnels working now ...
not clean, but working since 20 hours now.Take care
=> if 1 connexion down, (manually or because "lifetime parameter", you have to make same step manually again)Analysis
All my tests show me that version 2.4.5-1 (initial install 2.4.4-p2, upgraded 2.4.4p3 few months ago) isn't able to work with more than 1 tunnel.If you have more than 1 tunnel configuration enable on a firewall, pfsense can't establish the second tunnel :
Hardware1- Site1-Site2 conf enable
- Site1-Site3 conf enable
Hardware2 - Site1-Site2 conf enable
- Site2-Site3 conf disable
Hardware3 - Site1-Site3 conf enable
- Site2-Site3 conf disable
=> in this case, hardware2 and 3 have only 1 tunnel enable, but as hardware1 has two, only 1 tunnel can be establish.
as soon you have more than 1 tunnel configuration enable, system can't establish connection. The main idea is to disable conf from a tunnel already open, it allow pfsense to open second tunnel.
=> not very clean but working.I will try to send this bug to dev.
Best regards