pfSense 2.5.0 broke all IPSec VPNs
-
Alright, this must have been a strange fluke. I upgraded the original firewall I upgraded this morning and it completed successfully. No idea what happened
-
@jimp said in pfSense 2.5.0 broke all IPSec VPNs:
On 2.4.x there were some problems with identifiers not using the correct types,
Using IPs instead of distinguished name fixed it for me. Not sure what I'll do when IPs change but I'm up for now.
-
Alright, I hit another one. I upgraded 3 successfully, the 4th (the one where I wasn't monitoring the console, of course), decided to have the same problem.
Tried what @612brokeaf suggested by running
swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1and didn't get any errors, but my tunnels came right up. Of course it did not survive a reboot but again, no errors. I don't have any pools, so I guess that's a good thing?At this point, I'm not sure what I should be looking for. There's no errors, no warnings, no light at the end of the tunnel. I'm not going to wipe this one so if anyone has any further suggestions, I'm open. Otherwise, it seems to be a shot in the dark whether or not IPSec VPNs survive the upgrade.
-
Hi. Just to review. Distinguished names do not work in 2.5 and when changing it to IP address authentication everything works?
-
i also have problems with my ipsec tunnels after upgrading to 2.5.
i have 5 tunnels which all are not working anymore. an output ofswanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1gave me no clue
the only thing which i see in the log is:
which probably means, the key does not match in P1. but they are definitly correct! i also tried to change the keys on both sites with no success.right now, the only workaround for me was, to recreate the tunnels (P1+P2) with the EXACT SAME settings as before. with that, the first tunnel came up right away. i am also using distinquished name for most of the tunnels.
i wait now for maybe some more hints or instructions to test, before i recreate all the other tunnels.
btw: is the "status --> ipsec" page for you all that slow? it takes around 10sec before it shows me the status.
Intel i3-N305 / 4 x 2.5Gbe LAN @2.7.2-Release
WAN: Vodafone 1000/50, Telekom 250/40; Switch: USW Enterprise 8 PoE, USW Flex XG, US-8-60W; Wifi: Unifi 6 Lite AP, U6 Mesh -
Maybe that helps, but my IPsec tunnel broke after upgrading to pfsense 2.5.0 because the "Peer identifier" was set to Any in both sides. By changing it to "IP address" 0.0.0.0, things got working again.
My IPSec uses dynamic ip in both ends, so i cant use real IPs here
-
@m0nji said in [pfSense 2.5.0 broke all IPSec VPNs]
btw: is the "status --> ipsec" page for you all that slow? it takes around 10sec before it shows me the status.
Yes, same here.
-
@thiagocrepaldi I have it set to "IP Address". It's like that on all of my firewalls, so it's strange that out of 5 upgrades, 2 failed (1 done twice).
-
Same problem here, but cannot make it work, I have deleted all the config and created a single phase1 using the same configuration that worked in 2.4.5-p1:
EDIT: Nevermind, erased everything, and started from zero fixed the problem.
Thanks!
-
Seems there are several issues here all getting confused.
- Identifier issues with "Distinguished Name" (Which is a bug -- see https://redmine.pfsense.org/issues/11442 -- for a quick workaround, apply the patch there or just set your IDs to KeyID in the meantime)
- Identifier issues from incorrect use of Key ID in the past (which fell back to automatic guessing at the type, so may not now match a remote not set specifically to Key ID) -- To fix this, set the right ID type and value on both sides to match
- Configuration issues where the configuration is failing to load (with errors)
- Tunnels loading but not connecting
- Other things that haven't yet been identified
Having one thread for all of this is a giant mess that's hard to follow. It's better for the moment if everyone makes their own thread here in the IPsec category and includes as much detail as possible.
If someone else does have a thread for the exact same root issue then you can combine those threads, but this one is far too generic to be useful.
For those of you who say re-creating the tunnel worked, be sure to grab the config.xml and compare before/after as well as
/var/etc/ipsec/swanctl.conf-- something must be different if it suddenly started working, and if it's something done by the upgrade process then we can identify and fix it.For troubleshooting, first apply patches to fix known issues which have already been resolved:
ead6515637a34ce6e170e2d2b0802e4fa1e63a00#1143557beb9ad8ca11703778fc483c7cba0f6770657ac#1143510eb04259fd139c62e08df8de877b71fdd0eedc8#11442ded7970ba57a99767e08243103e55d8a58edfc35#11486afffe759c4fd19fe6b8311196f4b6d5e288ea4fb#114872fe5cc52bd881ed26723a81e0eed848fd505fba6#11488
After that, edit/save/apply an IPsec tunnel, then stop and start (not restart) the IPsec daemon, or reboot instead.
If problems persist, do the following:
- Edit/save a tunnel
- Apply changes
- Go to Status > Services and stop, then start the IPsec service (don't click restart)
- Go to Status > IPsec on one end and attempt to initiate the tunnel if it doesn't come up automatically.
If it works, great. If not:
- Run
swanctl --list-connsto see what the IPsec daemon loaded for the connections - Run
swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1and see if it reports any problems - Get the config from
/var/etc/ipsec/swanctl.conf - Get the most recent logs from both sides
With that in hand, check for an existing thread which matches the symptoms exactly. If one exists, post there. If there isn't one, create one.
Locking this so it doesn't keep growing and making things more confusing.
