Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    21.02 Upgrade Broke IPSec site-2-site to Cisco ASA

    Scheduled Pinned Locked Moved IPsec
    8 Posts 4 Posters 935 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mystic330
      last edited by

      Reading the advise of the other thread, I'm opening a new thread based on my specific IPSec issue with 21.02....

      Had a previous 2.4.5 install working fine with Site-2-site VPN to a Cisco ASA.
      Upgraded to 21.02 and the VPN connects fine, but no traffic flows.

      The only negative comment in the logs I can find is:
      Feb 20 10:11:11 charon 45335 12[IKE] <con100000|5> nothing to initiate

      I've looked at the ID change/issue, but my P1 session ID is Local IP, and the connection appears to be coming up - I just get no packets flowing.

      I'm assuming the ASA config is good as it worked fine for a long time on 2.4.5.

      Any ideas?

      M 1 Reply Last reply Reply Quote 0
      • M
        mystic330 @mystic330
        last edited by

        FYI - I have deleted all the VPN config and re-configured fresh on 21.02 - Same results.

        M 1 Reply Last reply Reply Quote 0
        • M
          mystic330 @mystic330
          last edited by

          Another FYI - I'm seeing two strange things:

          1 - On the IPSec status screen I see a Child SA entry (I'm assuming P2?) under the main IPSec entry (P1?) - This Child SA entry has my local and remote subnets as defined in my P2 config. The stats show that there are packets out, but no packets in.

          2 - On this same screen, under the above entries, I see another entry with the same configuration (I only have one VPN configured) that says it's Disconnected. I've clicked the Connect button numerous times and nothing changes.

          I don't see anything that stands out in the logs as an obvious issue - It's almost like the routing is not correct. Should I be seeing an entry in netstat -r for my remote network? (I'm not).

          Definitely something strange going on with IPSec in this release.

          MMapplebeckM 1 Reply Last reply Reply Quote 0
          • MMapplebeckM
            MMapplebeck @mystic330
            last edited by

            @mystic330 If you install the System Patches package, and install patch ead6515637a34ce6e170e2d2b0802e4fa1e63a00 from @jimp , it will fix the display issue, as for the other problem of packets not flowing properly, I have seen a few posts mention it, and I am having the same issue.

            Sadly, there seems to be something very wrong with strongswan/IPSec in 21.02, from invalid values(rekey time breaks if 0 is in field, should be blank), mismatched tunnel IDs(the above patch addresses this), widget problems, reports of secrets getting mangled, P2 that are no longer transmitting data.

            M 1 Reply Last reply Reply Quote 0
            • M
              mystic330 @MMapplebeck
              last edited by

              @mmapplebeck Thanks!
              That patch did fix the Ipsec status page.

              Lots of issues indeed :-(
              I will play with it for another day or two, but then I'll need to revert back to code that I know works...

              If anybody needs any logs, testing, etc. to troubleshoot this issue please let me know.

              M 1 Reply Last reply Reply Quote 0
              • M
                mystic330 @mystic330
                last edited by

                Really not a happy camper....

                After loading my old config, my IPsec remote clients aren’t working either....

                So I needed to go back to 2.4.5.... so I threw in the USB with the image I got from Netgate and it erased the flash and then booted and said “unsupported system, no serial number”....🤬
                This is a real deal SG1100!!!!
                So now I’ve got a brick....

                S 1 Reply Last reply Reply Quote 0
                • S
                  sgw @mystic330
                  last edited by

                  @mystic330 I am not sure if I hit the same issue as you, but:

                  when I enable hw crypto one of my tunnels does not work (I am quite sure it's a Cisco on the other side).

                  After disabling hw crypto and a reboot the same tunnel config works. Tested again right now.

                  I 1 Reply Last reply Reply Quote 1
                  • I
                    it.subscriptions @sgw
                    last edited by

                    @sgw I can confirm disabling hw crypto on our SG-1100 running 21.02 fixed our tunnels to a Sonicwall. We had the same issues as the OP, tunnels connected but no traffic flowing inside.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.