Can i use only 2 Phase2 per phase1 on pfsense?
-
Hi Forum,
i made an ipsec connection to a remote site with 1 phase1 and 6 phase2.
only the first 2 phase2 come up and then no more. when i disable the first 2, the next 2 come up but not the last two.
and when i disable the first 4 the last 2 come up, so it seems to me whatever i do only 2 phase 2 entrys are carried out and the rest ignored.ist this a bug or expected on pfsense?
-
You have a misconfiguration. There are sites with dozens of P2s on a P1.
IKEv1 or IKEv2?
What are you communicating with?
-
Other side is a checkpoint with 95+ tunnels up, i have only what the admin gives me. I kind of trust they know what they do, so i think its my side.
My Key exchange Version is on auto. I think it uses Ikev2 because it says in the log
Nov 6 15:06:15 charon 10[MGR] checkout IKEv2 SA by message with SPIs f5f54a84ef769445_i 600d2229555ef121_r
Nov 6 15:06:15 charon 10[MGR] checkout IKEv2 SA by message with SPIs f5f54a84ef769445_i 600d2229555ef121_rI have 6 Phase2 enabled.
when i look in the status/show child SA entries it shows me only the first two remote subnets ( all subnets are in fact /32 single addresses ).but if i look into the SADs i have 6, and i have 24 SPDs as expected.
i am very confused.
-
Is there traffic on the P2s that are not up? A P2 will not necessarily be initiated unless there is interesting traffic.
You might also check split connections but that limitation of the other side would usually prevent more than one P2 from establishing.
And if you know the IKE version to be IKEv2 there is no reason not to set it for IKEv2 specifically.
-
I set the Ike to V2 now.
There is no traffic yet. i have to check if this is running before i can proceed fight with the firewall and the routing i think....
but the child SAs tell me always the first 2 available connections that are enabled. and no matter which one.this time it shows only one, maybe the 2nd server on the other side is switched off
i cleand the ip address out because its a public IP
con1000:
#236 192.168.33.61/32
Local: cd989838
Remote: 60c4ba15 xxx.xxx.xxx.xxx/32
Rekey: 2542 seconds (00:42:22)
Life: 3472 seconds (00:57:52)
Install: 128 seconds (00:02:08) AES_CBC
HMAC_SHA1_96
IPComp: none Bytes-In: 0 (0 B)
Packets-In: 0
Bytes-Out: 0 (0 B)
Packets-Out: 0when i disable this first two entries it shows me ( again i cleaned addresses out for being public, this time all )
con1000:
#238 xxx.xxx.xxx.xxx/32
Local: c144a229
Remote: 549b87ca xxx.xxx.xxx.xxx/32
xxx.xxx.xxx.xxx/32
Rekey: 2892 seconds (00:48:12)
Life: 3595 seconds (00:59:55)
Install: 5 seconds (00:00:05) AES_CBC
HMAC_SHA1_96
IPComp: none Bytes-In: 0 (0 B)
Packets-In: 0
Bytes-Out: 0 (0 B)
Packets-Out: 0of course the remote addresses are different ones from the one before