21.02 Upgrade Broke IPSec site-2-site to Cisco ASA
Reading the advise of the other thread, I'm opening a new thread based on my specific IPSec issue with 21.02....
Had a previous 2.4.5 install working fine with Site-2-site VPN to a Cisco ASA.
Upgraded to 21.02 and the VPN connects fine, but no traffic flows.
The only negative comment in the logs I can find is:
Feb 20 10:11:11 charon 45335 12[IKE] <con100000|5> nothing to initiate
I've looked at the ID change/issue, but my P1 session ID is Local IP, and the connection appears to be coming up - I just get no packets flowing.
I'm assuming the ASA config is good as it worked fine for a long time on 2.4.5.
FYI - I have deleted all the VPN config and re-configured fresh on 21.02 - Same results.
Another FYI - I'm seeing two strange things:
1 - On the IPSec status screen I see a Child SA entry (I'm assuming P2?) under the main IPSec entry (P1?) - This Child SA entry has my local and remote subnets as defined in my P2 config. The stats show that there are packets out, but no packets in.
2 - On this same screen, under the above entries, I see another entry with the same configuration (I only have one VPN configured) that says it's Disconnected. I've clicked the Connect button numerous times and nothing changes.
I don't see anything that stands out in the logs as an obvious issue - It's almost like the routing is not correct. Should I be seeing an entry in netstat -r for my remote network? (I'm not).
Definitely something strange going on with IPSec in this release.
MMapplebeck last edited by
@mystic330 If you install the System Patches package, and install patch ead6515637a34ce6e170e2d2b0802e4fa1e63a00 from @jimp , it will fix the display issue, as for the other problem of packets not flowing properly, I have seen a few posts mention it, and I am having the same issue.
Sadly, there seems to be something very wrong with strongswan/IPSec in 21.02, from invalid values(rekey time breaks if 0 is in field, should be blank), mismatched tunnel IDs(the above patch addresses this), widget problems, reports of secrets getting mangled, P2 that are no longer transmitting data.
That patch did fix the Ipsec status page.
Lots of issues indeed :-(
I will play with it for another day or two, but then I'll need to revert back to code that I know works...
If anybody needs any logs, testing, etc. to troubleshoot this issue please let me know.
Really not a happy camper....
After loading my old config, my IPsec remote clients aren’t working either....
So I needed to go back to 2.4.5.... so I threw in the USB with the image I got from Netgate and it erased the flash and then booted and said “unsupported system, no serial number”....🤬
This is a real deal SG1100!!!!
So now I’ve got a brick....
@mystic330 I am not sure if I hit the same issue as you, but:
when I enable hw crypto one of my tunnels does not work (I am quite sure it's a Cisco on the other side).
After disabling hw crypto and a reboot the same tunnel config works. Tested again right now.
@sgw I can confirm disabling hw crypto on our SG-1100 running 21.02 fixed our tunnels to a Sonicwall. We had the same issues as the OP, tunnels connected but no traffic flowing inside.