Is IPSEC fixed in 2.3.1_1? Does it work for you?
-
Hi,
I'm one of the people who foolishly upgraded to 2.3 without testing.
As far as I could tell in 2.3 site-to-site IPSEC was simply broken. There are threads here which go into detail https://forum.pfsense.org/index.php?topic=109908.0The change logs for 2.3.1 & V2.3.1_1 mention several IPSEC issues fixed, and my limited lab testing shows IPSEC largely behaving as advertised…..but I remain suspicious.
Can anyone else share their experience. Does this latest update remove all the IPSEC gremlins? -
It hasn't been widely broken in any 2.3x release version.
The PFKEY issue in the linked thread isn't common, but is fixed in 2.3.1 (and 2.3.1_1), and had manual fix instructions there since very shortly after 2.3.0 release.
Some people with certain mobile IPsec configs needed to enable Unity post-upgrade (as noted in the upgrade notes) since we switched to disabling it by default, since it isn't really appropriate by default and it caused issues with site to site VPNs to Cisco devices more than it helped anything.
There was an "interface crash"/"LAN dies" issue in 2.3.0, where multiple UDP streams and IPsec could kill most or all traffic on an internal interface. The vast majority never hit the condition, but it was annoying for those that did. That's definitely fixed in 2.3.1 though.
All IPsec-related changes outside of that fixed problems existing in 2.2.x and have not seen any regressions.
I'm not aware of any IPsec issues in 2.3.1_1.
-
I'm waiting for Strongswan 5.4.1, I have a vanilla IKEv2 config that is currently broken receiving packets so I fell back to OpenVPN till then. The special caveats are NAT-T behind a Comcast dynamic IP business line and semi-functional IPv6.
IPsec pass through is working and IKEv2 clients in Win7, OS X and iOS are functional behind the same pfSense device.
# This file is automatically generated. Do not edit config setup uniqueids = yes conn con1 fragmentation = yes keyexchange = ikev2 reauth = no forceencaps = yes mobike = yes rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 10.1.10.10 right = hyolee.example.com leftid = fqdn:ridgefield.example.com ikelifetime = 3600s lifetime = 1200s ike = aes128-sha256-modp2048! esp = aes128-sha256-modp2048! leftauth = psk rightauth = psk rightid = fqdn:hyolee.example.com rightsubnet = 10.36.0.0/16 leftsubnet = 10.208.0.0/24
All the upgrade problems I have experienced so far have been user error in the configuration, so idk. ;D
-
-
I'm hoping just this one: https://wiki.strongswan.org/issues/1416
-
I'm hoping just this one: https://wiki.strongswan.org/issues/1416
Oh, so referencing the client side I guess. That doesn't have any relation to anything we do with strongswan within pfsense.
-
@cmb:
It hasn't been widely broken in any 2.3x release version.
The PFKEY issue in the linked thread isn't common, but is fixed in 2.3.1 (and 2.3.1_1), and had manual fix instructions there since very shortly after 2.3.0 release.
@cmb:
I'm not aware of any IPsec issues in 2.3.1_1.
And here I was thinking it was definitely still in a broken state. I am on 2.3.1_1..
What is the fix for the PKEY issue? Turning up the sysctl values? I have done that but still get the same errors. I shouldn't need to even do that since the fix is in 2.3.1_1, right?[2.3.1-RELEASE][admin@fwslc.alignbi.local]/root: cat /etc/version 2.3.1-RELEASE [2.3.1-RELEASE][admin@fwslc.alignbi.local]/root: sysctl -a | grep net | grep raw net.inet.raw.recvspace: 131072 net.inet.raw.maxdgram: 131072 net.raw.recvspace: 1048576 net.raw.sendspace: 2097152
Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to delete SAD entry with SPI ca856e2c Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>deleting SPI allocation SA failed Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to add SAD entry with SPI ca856e2c Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>unable to add SAD entry with SPI d7596024 Jun 21 18:05:34 fwslc charon: 08[IKE] <con1000|109>unable to install inbound and outbound IPsec SA (SAD) in kernel Jun 21 18:05:34 fwslc charon: 08[KNL] <con1000|109>error sending to PF_KEY socket: No buffer space available</con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109></con1000|109>
My three tunnels remain down. They were up before the upgrade. One of the tunnels connects to AWS and uses BGP. I have turned on the Unity plugin. Not sure what else there is to do.