Add new IPsec config only after reboot possible
-
Hello forum,
My Problem:
I'm moving our 60 Customer IPsec VPN from Cisco ASA to pfSense.
The first 40 tunnels which I configure on the pfsense worked good in sense of config and stable connection. After those 40, we faced some issues with adding new tunnel configurations. At this point we decided to upgrade from 2.2 to 2.3.2.
After upgrade and reboot I could add few more but again at a certain point i had the same issue as before (only reboot helped).Details Setup:
2.3.2-RELEASE (amd64)
FreeBSD 10.3-RELEASE-p5
I use NAT-T.
Some customer have for ACL multiple Hosts, others use Subnet(s)
Nodes/Networks: 264Config example with multiple Hosts:
conn con40000 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no mobike = no rekey = no installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 60s auto = route left = x.x.x.x right = x.x.x.x leftid = x.x.x.x ikelifetime = 86400s lifetime = 28800s ike = aes256-sha1-modp1024! esp = aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1,aes256-sha1! leftauth = psk rightauth = psk rightid = x.x.x.x aggressive = no rightsubnet = x.x.x.x leftsubnet = 192.168.1.0/24|172.20.30.2/32
I can provide more details if needed.
Has anybody experienced same bahaviour of pfSense and is there a solution, workarounf or known error description ?
Many thanks for the help.
-
Do you have any errors showing in the IPsec log when this happens?
What if you set your logs to the following values: IKE SA, IKE Child SA, Configuration backend on Diag. All others on Control.
See also: https://doc.pfsense.org/index.php/IPsec_Troubleshooting#Common_Errors_.28strongSwan.2C_pfSense_.3E.3D_2.2.x.29Additionally, rather than a reboot, try stopping the IPsec service and then starting it again. Don't use a restart as that only reloads the configuration.