PfSense 2.3.2 - problem with multiple phase2 in one connection



  • I have problem with ipsec - i have scenario:

    remote VPN - StrongSWAN 5.3.3 on openwrt - connections in ipsec.conf:

    conn general
            keyexchange=ikev2
            right=31.XXX.XXX.XXX
            left=193.XXX.XXX.XXX
            authby=secret
            esp=aes256-sha1
            ike=aes256-sha1-modp1536
            keylife=8h
            ikelifetime=24h
    
    conn general_net1
            rightsubnet=192.168.XXX.XXX/32
            leftsubnet=193.XXX.XXX.XXX/26
            also=general
            auto=route
    
    conn general_net2
            rightsubnet=192.168.XXX.XXX/32
            leftsubnet=192.168.XXX.XXX/21
            also=general
            auto=route
    
    conn general_net3
            rightsubnet=192.168.XXX.XXX/32
            leftsubnet=172.XXX.XXX.XXX/22
            also=general
            auto=route
    
    

    on pf sense i made via web one connection between IPSec endpoints and in this connection phase 2 for everyone pair of addresses (as shown above).

    When configuration is applied first traffic brig up phase1 and one of phase2 what is first, other are not initiated - in status i see always only one phase2 - active.
    Traffic for second phase2 makes that pfsense replaces SA for this ISAKMP - should be active two SA but active is only one - with the newest traffic.

    I see that can be a problem how pfsense make config file for ipsec - it connects all IpsecSA in one SA - generated file on my pfSense:

    
    conn con1
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = yes
    	forceencaps = no
    	mobike = no
    
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = restart
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = route
    	left = 193.XXX.XXX.XXX
    	right = 31.XXX.XXX.XXX
    	leftid = 193.XXX.XXX.XXX
    	ikelifetime = 86400s
    	lifetime = 28800s
    	ike = aes256-sha1-modp1536!
    	esp = aes256-sha1, [...]
    	leftauth = psk
    	rightauth = psk
    	rightid = 31.XXX.XXX.XXX
    	rightsubnet = 192.XXX.XXX.XXX
    	leftsubnet = 172.XXX.XXX.XXX/22,192.XXX.XXX.XXX/21,193.XXX.XXX.XXX/26
    
    

    i think that pfSense should produce new conn in file for every SA


  • Netgate

    To me that looks like a problem with the way the DDWRT is configuring itself.

    Try enabling Split Connections on the IKEv2 Phase 1 on the pfSense side.



  • Config on my side - openwrt was made by me - i prefer to make networks as separate SA because managing is for me better.

    Split connection is ok - after this works well but in status is strange. - attached status.

    The main connection is as disconnected but appear new without name and this new have SA .