PfSense v2.3.2, multiple P2 connections, partial drops and GUI inconsistencies
-
Hi all!
We have an IPSec connection into our customers network. They geographically distributed and so we have 3 Phase1 connections and several P2 connections depending on which subnet we need access to for a given project.
We share these tunnels with one of our new branch offices who routes the traffic via our network connection (the customer only allows our head office WAN IP address for the moment). The branch connects to our network using OpenVPN and subnets are pushed accordingly.
The client is using Cisco ASA 5500 series gateway, we're using pfSense 2.3.2-RELEASE
Issue 1: Partial drops
Part of the issue we are seeing is that we've had to duplicate all of the P2 connections, one for our LAN Subnet(s) - one for the Branch Subnet. (I suppose I could expand the "Local Network" to include both, but the subnets would be huge). This leads us to having 14 P2 connections for the 7 subnets we're trying to access.
Head Office Network = 10.2.0.0
Branch Office Network = 10.4.0.0P2 - Part 1: 10.2.0.0/16 -> 172.59.31.0/24
P2 - Part 2: 10.4.0.0/16 -> 172.59.31.0/24Sometimes one of these will drop out, meaning that the branch office can access the customers network, but we can't, or vice versa.
I found that if I rearranged the list of the P2 connections, some would start working again whilst others would drop after 10 minutes or so, mainly the first few connections in the list would be fine and we'd have issues with the rest.
2. GUI Shows SA Entries incorrectly
The Status->IPSec->Overview page shows that that "10.4.0.0/16 -> 172.59.31.0/24" is connected, but not our main network. i.e. no reference for "10.2.0.0/16 -> 172.59.31.0/24" even though we are accessing their network without issues.
Shouldn't both P2 connections be shown?
Partial Fixes:
In order to work around Issue 1, I've enabled "IP Compression" (just to save a bit of bandwidth), "Cisco Extensions" (never enabled before, but thought it could help) and also changed the /var/etc/ipsec/strongswan.d/charon.conf file
# Maximum number of half-open IKE_SAs for a single peer IP. block_threshold = 20
from the default of 5 to 20.
I was wondering if this last part could explain the "having to re-order the P2 connections". Either way, I've changed too many things to find out what it could be specifically, but we seem to be stable for the moment.
Any thoughts/comments welcome.