IPsec configuration files lost after reboot.
-
pfSense puts the IPsec config in
/var/etc/ipsec/. It shouldn't be looking in/usr/local/etcfor anything.Are you starting it manually or with a custom script?
-
Hello and thank you for you reply. From the Status->Systems Logs->IPsec there are these errors
Dec 20 10:41:40 ipsec_starter 64519 Starting strongSwan 5.7.1 IPsec [starter]...
Dec 20 10:41:40 ipsec_starter 64519 no files found matching '/usr/local/etc/ipsec.conf'
Dec 20 10:41:40 ipsec_starter 64519 failed to open config file '/usr/local/etc/ipsec.conf'
Dec 20 10:41:40 ipsec_starter 64519 unable to start strongSwan -- fatal errors in configWhen i try to start from the cli ipsec start these errors are coming up.
no files found matching '/usr/local/etc/strongswan.conf'
abort initialization due to invalid configuration
Starting strongSwan 5.7.1 IPsec [starter]...
no files found matching '/usr/local/etc/ipsec.conf'
failed to open config file '/usr/local/etc/ipsec.conf'
unable to start strongSwan -- fatal errors in configAfter i disable and enable phase 1 and phase 2 the configuration are creating and everything is ok. When i reboot the vm the configs are missing.
Thank you very much -
You don't need to start IPsec from the CLI. pfSense will start the IPsec service on its own if you have everything setup and enabled properly.
You are most likely not passing the correct set of parameters for it to read the correct configuration.
-
Ok so how can i ensure that i have setup it correctly and it will be able to start the service its own.
-
Use the GUI to set it up, and have at least one enabled P1+P2, the rest should happen naturally.
Unless you are making manual modifications or trying to do something the GUI doesn't support, you shouldn't have to take any special steps here.
-
But the configuration came from the gui. Enabling mobile clients phase 1 + phase 2 and last l2tp. Thats it. When i am restarting the vm i issue the command ipsec status and nothing is appear. Clearly something is worng.
-
@artemis Hay
To help you answer the questions
Sorry for my English- during PF booting there is a message "Configuring IPsec VPN...done" ?
- After booting there is in the /var/etc/ipsec/ file strongswan.conf ?
- IFCONFIG shows that there is an enc0 interface after booting?
-
@Konstanti Hello and thank you for your reply.
- It shows that the IPsec VTI interface is done( Nothing about IPsec VPN and i saw the L2TP vpn configured ok)
2)There is no ipsec folder inside etc :( (It shows the l2tp but not the ipsec)
3)Yes there is an enc0 after booting.
- It shows that the IPsec VTI interface is done( Nothing about IPsec VPN and i saw the L2TP vpn configured ok)
-
@artemis enc0 UP or DOWN ?? after booting
-
It seems to be down.
-
@artemis This means that IPSEC is not enabled at boot time
Or missing phase 1
Or phase 1 is disabled -
This post is deleted! -
@konstanti Try to set IKEV2without the l2tp/IPSEC
From the documentation
We strongly recommend using another solution such as IKEv2 instead of L2TP/IPsec. -
-
@artemis Unfortunately, nothing is visible
-
@artemis https://www.netgate.com/docs/pfsense/book/ipsec/mobile-ipsec.html
-
Ok. To describe it, am showing you that the phase1 is enabled from the gui and the interface is not up.
-
@artemis
When booting the PF checks whether it is enabled to initialize IPSEC
If not , enc0 set to down
And files strongswan.conf, ipsec.conf,..... not createdTry to configure access using IKEV2 without l2tp
-
Ok how can i say to my pfsense to check the IPsec on the boot, because as i told you before it doesnt check it. My remote hosts do not support ikev2
-
@artemis he picture shows that phase 1 is disabled from gui (your configuration)
Phase 1 is enabled (my configuration)
