PfSense 2.3.2 - problem with multiple phase2 in one connection
-
I have problem with ipsec - i have scenario:
remote VPN - StrongSWAN 5.3.3 on openwrt - connections in ipsec.conf:
conn general keyexchange=ikev2 right=31.XXX.XXX.XXX left=193.XXX.XXX.XXX authby=secret esp=aes256-sha1 ike=aes256-sha1-modp1536 keylife=8h ikelifetime=24h conn general_net1 rightsubnet=192.168.XXX.XXX/32 leftsubnet=193.XXX.XXX.XXX/26 also=general auto=route conn general_net2 rightsubnet=192.168.XXX.XXX/32 leftsubnet=192.168.XXX.XXX/21 also=general auto=route conn general_net3 rightsubnet=192.168.XXX.XXX/32 leftsubnet=172.XXX.XXX.XXX/22 also=general auto=route
on pf sense i made via web one connection between IPSec endpoints and in this connection phase 2 for everyone pair of addresses (as shown above).
When configuration is applied first traffic brig up phase1 and one of phase2 what is first, other are not initiated - in status i see always only one phase2 - active.
Traffic for second phase2 makes that pfsense replaces SA for this ISAKMP - should be active two SA but active is only one - with the newest traffic.I see that can be a problem how pfsense make config file for ipsec - it connects all IpsecSA in one SA - generated file on my pfSense:
conn con1 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = 193.XXX.XXX.XXX right = 31.XXX.XXX.XXX leftid = 193.XXX.XXX.XXX ikelifetime = 86400s lifetime = 28800s ike = aes256-sha1-modp1536! esp = aes256-sha1, [...] leftauth = psk rightauth = psk rightid = 31.XXX.XXX.XXX rightsubnet = 192.XXX.XXX.XXX leftsubnet = 172.XXX.XXX.XXX/22,192.XXX.XXX.XXX/21,193.XXX.XXX.XXX/26
i think that pfSense should produce new conn in file for every SA
-
To me that looks like a problem with the way the DDWRT is configuring itself.
Try enabling Split Connections on the IKEv2 Phase 1 on the pfSense side.
-
Config on my side - openwrt was made by me - i prefer to make networks as separate SA because managing is for me better.
Split connection is ok - after this works well but in status is strange. - attached status.
The main connection is as disconnected but appear new without name and this new have SA .