Add new IPsec config only after reboot possible

scet · Oct 17, 2016, 7:23 AM

Hello forum,

My Problem:
I'm moving our 60 Customer IPsec VPN from Cisco ASA to pfSense.
The first 40 tunnels which I configure on the pfsense worked good in sense of config and stable connection. After those 40, we faced some issues with adding new tunnel configurations. At this point we decided to upgrade from 2.2 to 2.3.2.
After upgrade and reboot I could add few more but again at a certain point i had the same issue as before (only reboot helped).

Details Setup:
2.3.2-RELEASE (amd64)
FreeBSD 10.3-RELEASE-p5
I use NAT-T.
Some customer have for ACL multiple Hosts, others use Subnet(s)
Nodes/Networks: 264

Config example with multiple Hosts:


conn con40000
                fragmentation = yes
                keyexchange = ikev1
                reauth = yes
                forceencaps = no
                mobike = no

                rekey = no
                installpolicy = yes
                type = tunnel
                dpdaction = restart
                dpddelay = 10s
                dpdtimeout = 60s
                auto = route
                left = x.x.x.x
                right = x.x.x.x
                leftid = x.x.x.x
                ikelifetime = 86400s
                lifetime = 28800s
                ike = aes256-sha1-modp1024!
                esp = aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1!
                leftauth = psk
                rightauth = psk
                rightid =  x.x.x.x
                aggressive = no
                rightsubnet = x.x.x.x
                leftsubnet = 192.168.1.0/24|172.20.30.2/32

I can provide more details if needed.

Has anybody experienced same bahaviour of pfSense and is there a solution, workarounf or known error description ?

Many thanks for the help.

jimp · Oct 19, 2016, 5:55 PM

Do you have any errors showing in the IPsec log when this happens?

What if you set your logs to the following values: IKE SA, IKE Child SA, Configuration backend on Diag. All others on Control.
See also: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29

Additionally, rather than a reboot, try stopping the IPsec service and then starting it again. Don't use a restart as that only reloads the configuration.