PfSense 1.2.3RC1 / site-to-site VPN with multiple subnets = packet loss / Bug?
-
Hi,
i am trying to build a site-to-site vpn with two pfsense boxes. One with a static IP (location A) and one with a dynamic IP (location B).
- Location A (static) is running pfsense 1.2.3RC1
- Location B (dynamic, with dyndns) is running pfsense 1.2.1
On both sides i have multiple subnets, so i created one set of SA for every subnet (mobile client configuration, parallel tunnels). I also checked http://doc.pfsense.org/index.php/IPSec_with_Multiple_Subnets.
The problem is, that i can only use one subnet pair (e.g. 10.0.1.0/24 in location A and 10.0.2.0/24 in location B.
As soon as i ping another subnet there is a packet loss of about 50%.I assumed this comes from different identifiers as noted in the FAQ etc. But the Identifiers (Domain, e.g. net[1-9].example.net) are different for every subnet configuration. I triple-checked this and tried also User FQDN.
A change of the MTU on the WAN interface didn't help either.Is there anything i can test? Or is this a bug?
Regards,
Alex
-
I've not had a lot of luck with multiple subnets in the past, but I haven't had a chance to experiment more lately. (I wrote that FAQ entry based on what I was told by others who had done it successfully)
What 1.2.3-RC are you using? If it's a recent snapshot, there has been some shuffling of ipsec-tools versions trying to fix other issues, and for a time ipsec-tools 0.8 was in the tree which broke parallel tunnels, but fixed other issues.
Check your IPsec logs, and see what version of ipsec-tools you've got (0.7.1, 0.7.2, or 0.8) and that may give some indication.
-
Hey,
i am running 1.2.3-RC1 (built on Wed Apr 22 15:36:34 EDT 2009) with ipsec-tools 0.7.1.
Should i better try two boxes with 1.2.3-RC1 or 1.2.2?
Thanks!
Alex
-
There were several changes to ipsec-tools between 1.2.2 and 1.2.3, but I'm not sure if they'd be causing any of the issues you see.
You'd be better off testing two matching versions though, either a more recent 1.2.3 or both 1.2.2.
-
Just to give some feedback:
I tried the scenario with pfsense 1.2.2 on both sides (static and dynamic):
- allowed mobile clients on the static side
- set up to tunnels with different subnets
The result is still the same, around 50% packet loss.
-
That sounds about like what happened the last time I tried to run multiple subnets with mobile clients.
The tunnel would drop and re-key for the alternate subnet, and then flip back and forth repeatedly. This was several months ago that I tried it though, and the particulars escape me.
