Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    pfSense 2.5.0 broke all IPSec VPNs

    Scheduled Pinned Locked Moved IPsec
    25 Posts 8 Posters 8.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 612brokeaf6
      612brokeaf
      last edited by 612brokeaf

      I can confirm the exact same issue, no single IPsec tunnel came up after an upgrade from 2.4.5 to 2.5.0, they go to pfSense (2.4.5) and Cisco. It all works fine on 2.4.5. I also suspected peer IDs, but this is pretty simple, they are all:

      My id: my ip address
      Peer id: peer ip address

      I tried manually setting the values to IPs; no joy. What do you suggest to configure then? Please note that I use DNS resolution for all peers, as in the remote g/w is specified as hostname, because some are on dynamic IPs. The resulting Strongswan config looks pretty much the same at first glance, minus formatting, between 2.4.5 and 2.5.0.

      Not that I'm a Cisco fan (not at all), but given the maturity of their implementation, I would say that if it's worked with Cisco for ten plus years the way it was configured, and now it stopped, then is Cisco also misusing key types?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The IP address types are fine, mostly Key ID was the problem. If you aren't using that, then it probably isn't identifiers.

        We'll need a lot more information than "it didn't work" to diagnose it, though. Starting with logs.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        612brokeaf6 1 Reply Last reply Reply Quote 0
        • 612brokeaf6
          612brokeaf @jimp
          last edited by 612brokeaf

          @jimp thank you - yes, obviously, logs. Problem is that all I am seeing is:

          no IKE config found for Z.Z.Z.Z...A.A.A.A, sending NO_PROPOSAL_CHOSEN
          

          ...which IIRC is not the same as prop not chosen due to transforms/algos not being accepted; it doesn't even get to that point.

          This is IKEv2 by the way.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Compare the contents of /var/etc/ipsec/swanctl.conf and the output of swanctl --list-conns and see if the contents line up.

            That log must mean that somehow it's not matching the P1. Without more details from the logs it's impossible to say why.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            612brokeaf6 1 Reply Last reply Reply Quote 0
            • 612brokeaf6
              612brokeaf @jimp
              last edited by 612brokeaf

              @jimp ah, now we're getting somewhere...

              swanctl --list_conns gives me zero output (empty), as if the config was not loaded properly. On 2.4.5 it does.

              There is also a long pause when trying to look up SAs/SPDs under status->IPSec.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Do you get any output from swanctl --load-all --debug ?

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                612brokeaf6 1 Reply Last reply Reply Quote 0
                • 612brokeaf6
                  612brokeaf @jimp
                  last edited by 612brokeaf

                  @jimp It doesn't like the debug option alone it seems, but otherwise:

                  swanctl --load-all --debug 5
                  created thread 01 [80079e500]
                  started worker thread 01
                  no events, waiting
                  created thread 03 [80079ef00]
                  started worker thread 03
                    watching 7 for reading
                  watcher going to poll() 2 fds
                  no files found matching '/usr/local/etc/swanctl/conf.d/*.conf'
                  created thread 04 [80079f400]
                  started worker thread 04
                  created thread 02 [80079ea00]
                  started worker thread 02
                  watched FD 7 ready to read
                  watcher going to poll() 1 fds
                  watcher got notification, rebuilding
                    watching 7 for reading
                  watcher going to poll() 2 fds
                  watched FD 7 ready to read
                  watcher going to poll() 1 fds
                  watcher got notification, rebuilding
                    watching 7 for reading
                  watcher going to poll() 2 fds
                  watched FD 7 ready to read
                  watcher going to poll() 1 fds
                  watcher got notification, rebuilding
                    watching 7 for reading
                  watcher going to poll() 2 fds
                  no authorities found, 0 unloaded
                  watched FD 7 ready to read
                  watcher going to poll() 1 fds
                  watcher got notification, rebuilding
                    watching 7 for reading
                  watcher going to poll() 2 fds
                  no pools found, 0 unloaded
                  watched FD 7 ready to read
                  watcher going to poll() 1 fds
                  watcher got notification, rebuilding
                    watching 7 for reading
                  no connections found, 0 unloaded
                  watcher going to poll() 2 fds
                  terminated worker thread 01
                  terminated worker thread 03
                  

                  However this is pretty much the same as what I get from the working 2.4.5.

                  612brokeaf6 1 Reply Last reply Reply Quote 0
                  • 612brokeaf6
                    612brokeaf @612brokeaf
                    last edited by

                    OK - in 2.4.5, in /usr/local/etc/strongswan.conf I have:

                    starter {
                    	load_warning = no
                    	config_file = /var/etc/ipsec/ipsec.conf
                    }
                    

                    While on 2.5.0 I have:

                    starter {
                    	load_warning = no
                    }
                    

                    Would this be it? Or have things been moved around?

                    612brokeaf6 1 Reply Last reply Reply Quote 0
                    • 612brokeaf6
                      612brokeaf @612brokeaf
                      last edited by

                      Yeah I think this isn't getting me anywhere. swanctl --load-conns shows "no connections found" on both 2.4.5. and 2.5.0, so this is probably not where I should be looking.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        2.5.0 does not use starter, it uses swanctl/VICI. That isn't relevant.

                        What is in your /var/etc/ipsec/swanctl.conf file? You can obscure private info like iP addresses, identifiers, and keys but leave all the structure and names in place.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        612brokeaf6 2 Replies Last reply Reply Quote 0
                        • 612brokeaf6
                          612brokeaf @A Former User
                          last edited by

                          @travisn Sorry to hijack your thread here. But - I think I got something that could also be useful for you. There may be some errors in the config that cause strongswan to fail to load it or parts of it.

                          Try swanctl --list-conns and see if you get a list. If not, try swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 and see if you get any errors.

                          ? 1 Reply Last reply Reply Quote 0
                          • ?
                            A Former User @612brokeaf
                            last edited by

                            @612brokeaf Hey no worries! ๐Ÿ˜ƒ I'm just glad I wasn't the only one. I'm going to run through this thread tonight to see if I can get closer. I'm just setting up another 2.4.5-p1 instance in another lab that doesn't have anything else running to try and cut down on the noise.

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              Well this is interesting. After installing 2.4.5-p1 in a quieter environment so I could have cleaner logs, I added a single IPSec VPN the same way I setup my other ones. I upgraded to 2.5.0 and the VPN came back up and I was able to access the remote site just fine. I'm going to try re-upgrading my original site to see if I can reproduce it again or if it was just some strange fluke.

                              1 Reply Last reply Reply Quote 0
                              • ?
                                A Former User
                                last edited by

                                Alright, this must have been a strange fluke. I upgraded the original firewall I upgraded this morning and it completed successfully. No idea what happened ๐Ÿคท

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bbrendon @jimp
                                  last edited by

                                  @jimp said in pfSense 2.5.0 broke all IPSec VPNs:

                                  On 2.4.x there were some problems with identifiers not using the correct types,

                                  Using IPs instead of distinguished name fixed it for me. Not sure what I'll do when IPs change but I'm up for now.

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    A Former User
                                    last edited by

                                    Alright, I hit another one. I upgraded 3 successfully, the 4th (the one where I wasn't monitoring the console, of course), decided to have the same problem.

                                    Tried what @612brokeaf suggested by running swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 and didn't get any errors, but my tunnels came right up. Of course it did not survive a reboot but again, no errors. I don't have any pools, so I guess that's a good thing?

                                    At this point, I'm not sure what I should be looking for. There's no errors, no warnings, no light at the end of the tunnel. I'm not going to wipe this one so if anyone has any further suggestions, I'm open. Otherwise, it seems to be a shot in the dark whether or not IPSec VPNs survive the upgrade.

                                    vergilisV 1 Reply Last reply Reply Quote 0
                                    • vergilisV
                                      vergilis @A Former User
                                      last edited by

                                      Hi. Just to review. Distinguished names do not work in 2.5 and when changing it to IP address authentication everything works?

                                      1 Reply Last reply Reply Quote 0
                                      • m0njiM
                                        m0nji
                                        last edited by m0nji

                                        i also have problems with my ipsec tunnels after upgrading to 2.5.
                                        i have 5 tunnels which all are not working anymore. an output of

                                        swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1
                                        

                                        gave me no clue
                                        cf4562bc-84e3-439a-9b8b-0b17b980fd44-image.png
                                        the only thing which i see in the log is:
                                        eb0e638e-2652-4012-98b2-066fec419e3e-image.png
                                        which probably means, the key does not match in P1. but they are definitly correct! i also tried to change the keys on both sites with no success.

                                        right now, the only workaround for me was, to recreate the tunnels (P1+P2) with the EXACT SAME settings as before. with that, the first tunnel came up right away. i am also using distinquished name for most of the tunnels.

                                        i wait now for maybe some more hints or instructions to test, before i recreate all the other tunnels.

                                        btw: is the "status --> ipsec" page for you all that slow? it takes around 10sec before it shows me the status.

                                        Intel i3-N305 / 4 x 2.5Gbe LAN @2.7.2-Release
                                        WAN: Vodafone 1000/50, Telekom 250/40; Switch: USW Enterprise 8 PoE, USW Flex XG, US-8-60W; Wifi: Unifi 6 Lite AP, U6 Mesh

                                        T 612brokeaf6 2 Replies Last reply Reply Quote 0
                                        • T
                                          thiagocrepaldi @m0nji
                                          last edited by

                                          Maybe that helps, but my IPsec tunnel broke after upgrading to pfsense 2.5.0 because the "Peer identifier" was set to Any in both sides. By changing it to "IP address" 0.0.0.0, things got working again.

                                          My IPSec uses dynamic ip in both ends, so i cant use real IPs here

                                          ? 1 Reply Last reply Reply Quote 0
                                          • 612brokeaf6
                                            612brokeaf @m0nji
                                            last edited by

                                            @m0nji said in [pfSense 2.5.0 broke all IPSec VPNs]

                                            btw: is the "status --> ipsec" page for you all that slow? it takes around 10sec before it shows me the status.

                                            Yes, same here.

                                            1 Reply Last reply Reply Quote 1
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.