Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can i use only 2 Phase2 per phase1 on pfsense?

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 499 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      goorooj
      last edited by

      Hi Forum,

      i made an ipsec connection to a remote site with 1 phase1 and 6 phase2.

      only the first 2 phase2 come up and then no more. when i disable the first 2, the next 2 come up but not the last two.
      and when i disable the first 4 the last 2 come up, so it seems to me whatever i do only 2 phase 2 entrys are carried out and the rest ignored.

      ist this a bug or expected on pfsense?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You have a misconfiguration. There are sites with dozens of P2s on a P1.

        IKEv1 or IKEv2?

        What are you communicating with?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • G
          goorooj
          last edited by

          Other side is a checkpoint with 95+ tunnels up, i have only what the admin gives me. I kind of trust they know what they do, so i think its my side.

          My Key exchange Version is on auto. I think it uses Ikev2 because it says in the log

          Nov 6 15:06:15 charon 10[MGR] checkout IKEv2 SA by message with SPIs f5f54a84ef769445_i 600d2229555ef121_r
          Nov 6 15:06:15 charon 10[MGR] checkout IKEv2 SA by message with SPIs f5f54a84ef769445_i 600d2229555ef121_r

          I have 6 Phase2 enabled.
          when i look in the status/show child SA entries it shows me only the first two remote subnets ( all subnets are in fact /32 single addresses ).

          but if i look into the SADs i have 6, and i have 24 SPDs as expected.

          i am very confused.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Is there traffic on the P2s that are not up? A P2 will not necessarily be initiated unless there is interesting traffic.

            You might also check split connections but that limitation of the other side would usually prevent more than one P2 from establishing.

            And if you know the IKE version to be IKEv2 there is no reason not to set it for IKEv2 specifically.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • G
              goorooj
              last edited by

              I set the Ike to V2 now.

              There is no traffic yet. i have to check if this is running before i can proceed fight with the firewall and the routing i think....
              but the child SAs tell me always the first 2 available connections that are enabled. and no matter which one.

              this time it shows only one, maybe the 2nd server on the other side is switched off

              i cleand the ip address out because its a public IP

              con1000:
              #236 192.168.33.61/32
              Local: cd989838
              Remote: 60c4ba15 xxx.xxx.xxx.xxx/32
              Rekey: 2542 seconds (00:42:22)
              Life: 3472 seconds (00:57:52)
              Install: 128 seconds (00:02:08) AES_CBC
              HMAC_SHA1_96
              IPComp: none Bytes-In: 0 (0 B)
              Packets-In: 0
              Bytes-Out: 0 (0 B)
              Packets-Out: 0

              when i disable this first two entries it shows me ( again i cleaned addresses out for being public, this time all )

              con1000:
              #238 xxx.xxx.xxx.xxx/32
              Local: c144a229
              Remote: 549b87ca xxx.xxx.xxx.xxx/32
              xxx.xxx.xxx.xxx/32
              Rekey: 2892 seconds (00:48:12)
              Life: 3595 seconds (00:59:55)
              Install: 5 seconds (00:00:05) AES_CBC
              HMAC_SHA1_96
              IPComp: none Bytes-In: 0 (0 B)
              Packets-In: 0
              Bytes-Out: 0 (0 B)
              Packets-Out: 0

              of course the remote addresses are different ones from the one before

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.