Is IPSEC fixed in 2.3.1_1? Does it work for you?



  • Hi,
    I'm one of the people who foolishly upgraded to 2.3 without testing.
    As far as I could tell in 2.3 site-to-site IPSEC was simply broken.  There are threads here which go into detail https://forum.pfsense.org/index.php?topic=109908.0

    The change logs for  2.3.1 & V2.3.1_1 mention several IPSEC issues fixed, and my limited lab testing shows IPSEC largely behaving as  advertised…..but I remain suspicious.
    Can anyone else share their experience.  Does this latest update remove all the IPSEC gremlins?



  • It hasn't been widely broken in any 2.3x release version.

    The PFKEY issue in the linked thread isn't common, but is fixed in 2.3.1 (and 2.3.1_1), and had manual fix instructions there since very shortly after 2.3.0 release.

    Some people with certain mobile IPsec configs needed to enable Unity post-upgrade (as noted in the upgrade notes) since we switched to disabling it by default, since it isn't really appropriate by default and it caused issues with site to site VPNs to Cisco devices more than it helped anything.

    There was an "interface crash"/"LAN dies" issue in 2.3.0, where multiple UDP streams and IPsec could kill most or all traffic on an internal interface. The vast majority never hit the condition, but it was annoying for those that did. That's definitely fixed in 2.3.1 though.

    All IPsec-related changes outside of that fixed problems existing in 2.2.x and have not seen any regressions.

    I'm not aware of any IPsec issues in 2.3.1_1.



  • I'm waiting for Strongswan 5.4.1, I have a vanilla IKEv2 config that is currently broken receiving packets so I fell back to OpenVPN till then.  The special caveats are NAT-T behind a Comcast dynamic IP business line and semi-functional IPv6.

    IPsec pass through is working and IKEv2 clients in Win7, OS X and iOS are functional behind the same pfSense device.

    # This file is automatically generated. Do not edit
    config setup
    	uniqueids = yes
    
    conn con1
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = no
    	forceencaps = yes
    	mobike = yes
    
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = restart
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = route
    	left = 10.1.10.10
    	right = hyolee.example.com
    	leftid = fqdn:ridgefield.example.com
    	ikelifetime = 3600s
    	lifetime = 1200s
    	ike = aes128-sha256-modp2048!
    	esp = aes128-sha256-modp2048!
    	leftauth = psk
    	rightauth = psk
    	rightid = fqdn:hyolee.example.com
    	rightsubnet = 10.36.0.0/16
    	leftsubnet = 10.208.0.0/24
    

    All the upgrade problems I have experienced so far have been user error in the configuration, so idk.  ;D



  • @MrMoo:

    I'm waiting for Strongswan 5.4.1

    Got a reference to a strongswan bug ticket?



  • I'm hoping just this one:  https://wiki.strongswan.org/issues/1416



  • @MrMoo:

    I'm hoping just this one:  https://wiki.strongswan.org/issues/1416

    Oh, so referencing the client side I guess. That doesn't have any relation to anything we do with strongswan within pfsense.



  • @cmb:

    It hasn't been widely broken in any 2.3x release version.

    The PFKEY issue in the linked thread isn't common, but is fixed in 2.3.1 (and 2.3.1_1), and had manual fix instructions there since very shortly after 2.3.0 release.

    @cmb:

    I'm not aware of any IPsec issues in 2.3.1_1.

    And here I was thinking it was definitely still in a broken state. I am on 2.3.1_1..
    What is the fix for the PKEY issue? Turning up the sysctl values? I have done that but still get the same errors. I shouldn't need to even do that since the fix is in 2.3.1_1, right?

    
    [2.3.1-RELEASE][admin@fwslc.alignbi.local]/root: cat /etc/version
    2.3.1-RELEASE
    [2.3.1-RELEASE][admin@fwslc.alignbi.local]/root: sysctl -a | grep net | grep raw
    net.inet.raw.recvspace: 131072
    net.inet.raw.maxdgram: 131072
    net.raw.recvspace: 1048576
    net.raw.sendspace: 2097152
    
    
    
    Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to delete SAD entry with SPI ca856e2c
    Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>deleting SPI allocation SA failed
    Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available
    Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to add SAD entry with SPI ca856e2c
    Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available
    Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to add SAD entry with SPI d7596024
    Jun 21 18:05:34 fwslc charon: 08[IKE] <con1000|109>unable to install inbound and outbound IPsec SA (SAD) in kernel
    Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available</con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109> 
    

    My three tunnels remain down. They were up before the upgrade. One of the tunnels connects to AWS and uses BGP. I have turned on the Unity plugin. Not sure what else there is to do.