Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Add new IPsec config only after reboot possible

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 866 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      scet
      last edited by

      Hello forum,

      My Problem:
      I'm moving our 60 Customer IPsec VPN from Cisco ASA to pfSense.
      The first 40 tunnels which I configure on the pfsense worked good in sense of config and stable connection. After those 40, we faced some issues with adding new tunnel configurations. At this point we decided to upgrade from 2.2 to 2.3.2.
      After upgrade and reboot I could add few more but again at a certain point i had the same issue as before (only reboot helped).

      Details Setup:
      2.3.2-RELEASE (amd64)
      FreeBSD 10.3-RELEASE-p5
      I use NAT-T.
      Some customer have for ACL multiple Hosts, others use Subnet(s)
      Nodes/Networks: 264

      Config example with multiple Hosts:

      
conn con40000
                fragmentation = yes
                keyexchange = ikev1
                reauth = yes
                forceencaps = no
                mobike = no

                rekey = no
                installpolicy = yes
                type = tunnel
                dpdaction = restart
                dpddelay = 10s
                dpdtimeout = 60s
                auto = route
                left = x.x.x.x
                right = x.x.x.x
                leftid = x.x.x.x
                ikelifetime = 86400s
                lifetime = 28800s
                ike = aes256-sha1-modp1024!
                esp = aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1!
                leftauth = psk
                rightauth = psk
                rightid =  x.x.x.x
                aggressive = no
                rightsubnet = x.x.x.x
                leftsubnet = 192.168.1.0/24|172.20.30.2/32

      I can provide more details if needed.

      Has anybody experienced same bahaviour of pfSense and is there a solution, workarounf or known error description ?

      Many thanks for the help.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Do you have any errors showing in the IPsec log when this happens?

        What if you set your logs to the following values:  IKE SA, IKE Child SA, Configuration backend on Diag. All others on Control.
        See also: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

        Additionally, rather than a reboot, try stopping the IPsec service and then starting it again. Don't use a restart as that only reloads the configuration.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.