Cannot get multiple phase 2 to work on site-to-site (pfsense 2.4.4), connection to AWS
VPTechnik last edited by VPTechnik
We are preparing an new comp unit running pfSense 2.4.4, to replace our old Cisco firewall and router. After setting up IPSec with two P2 entries, everything works fine. The phase 1 gets connected to AWS and the packets for the remote subnet 10.10.0.0 are routed properly. Problems occur as soon, as we define another P2 subnet to be routed (remote subnet 10.20.0.0 in the bottom graphic, currently disabled). This additional P2 entry is a copy of the other one, just with changed remote subnet. As soon as the currently disabled one will be activated the other tunnels get stucked or loose connection. We checked this with a continues ping. It seems that multiple phase 2 entries and there routes are interfering.
As I have have read, something similiar occured in an older pfSense version (2.2). In some other cases I've read, using the IKEv2 shouldn't have such issues. As Amazon AWS pretend to use IKVEv1, what other options we have to get this up and running? Or is it probably a (reappeared) bug?
Does somebody else have a connection running with IKEv1 and multiple Phase 2 entries to Amazon AWS?
Thanks in advance
oklord last edited by
@vptechnik Getting the same issue
AWS doesn't allow that many P2s. They will disconnect old ones as new ones over the limit try to establish.
Switch to VTI and use BGP to route whatever you want over a single VTI P2 entry.
VPTechnik last edited by
Thank you very much for your suggestion. I've reconfigured the tunnel to use VTI and since some days it stays quite stable. The routing seems to work fine for all subnets.