Add new IPsec config only after reboot possible

  • Hello forum,

    My Problem:
    I'm moving our 60 Customer IPsec VPN from Cisco ASA to pfSense.
    The first 40 tunnels which I configure on the pfsense worked good in sense of config and stable connection. After those 40, we faced some issues with adding new tunnel configurations. At this point we decided to upgrade from 2.2 to 2.3.2.
    After upgrade and reboot I could add few more but again at a certain point i had the same issue as before (only reboot helped).

    Details Setup:
    2.3.2-RELEASE (amd64)
    FreeBSD 10.3-RELEASE-p5
    I use NAT-T.
    Some customer have for ACL multiple Hosts, others use Subnet(s)
    Nodes/Networks: 264

    Config example with multiple Hosts:

    conn con40000
                    fragmentation = yes
                    keyexchange = ikev1
                    reauth = yes
                    forceencaps = no
                    mobike = no
                    rekey = no
                    installpolicy = yes
                    type = tunnel
                    dpdaction = restart
                    dpddelay = 10s
                    dpdtimeout = 60s
                    auto = route
                    left = x.x.x.x
                    right = x.x.x.x
                    leftid = x.x.x.x
                    ikelifetime = 86400s
                    lifetime = 28800s
                    ike = aes256-sha1-modp1024!
                    esp = aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1!
                    leftauth = psk
                    rightauth = psk
                    rightid =  x.x.x.x
                    aggressive = no
                    rightsubnet = x.x.x.x
                    leftsubnet =|

    I can provide more details if needed.

    Has anybody experienced same bahaviour of pfSense and is there a solution, workarounf or known error description ?

    Many thanks for the help.

  • Rebel Alliance Developer Netgate

    Do you have any errors showing in the IPsec log when this happens?

    What if you set your logs to the following values:  IKE SA, IKE Child SA, Configuration backend on Diag. All others on Control.
    See also:

    Additionally, rather than a reboot, try stopping the IPsec service and then starting it again. Don't use a restart as that only reloads the configuration.