21.02 Upgrade Broke IPSec site-2-site to Cisco ASA
-
Reading the advise of the other thread, I'm opening a new thread based on my specific IPSec issue with 21.02....
Had a previous 2.4.5 install working fine with Site-2-site VPN to a Cisco ASA.
Upgraded to 21.02 and the VPN connects fine, but no traffic flows.The only negative comment in the logs I can find is:
Feb 20 10:11:11 charon 45335 12[IKE] <con100000|5> nothing to initiateI've looked at the ID change/issue, but my P1 session ID is Local IP, and the connection appears to be coming up - I just get no packets flowing.
I'm assuming the ASA config is good as it worked fine for a long time on 2.4.5.
Any ideas?
-
FYI - I have deleted all the VPN config and re-configured fresh on 21.02 - Same results.
-
Another FYI - I'm seeing two strange things:
1 - On the IPSec status screen I see a Child SA entry (I'm assuming P2?) under the main IPSec entry (P1?) - This Child SA entry has my local and remote subnets as defined in my P2 config. The stats show that there are packets out, but no packets in.
2 - On this same screen, under the above entries, I see another entry with the same configuration (I only have one VPN configured) that says it's Disconnected. I've clicked the Connect button numerous times and nothing changes.
I don't see anything that stands out in the logs as an obvious issue - It's almost like the routing is not correct. Should I be seeing an entry in netstat -r for my remote network? (I'm not).
Definitely something strange going on with IPSec in this release.
-
@mystic330 If you install the System Patches package, and install patch ead6515637a34ce6e170e2d2b0802e4fa1e63a00 from @jimp , it will fix the display issue, as for the other problem of packets not flowing properly, I have seen a few posts mention it, and I am having the same issue.
Sadly, there seems to be something very wrong with strongswan/IPSec in 21.02, from invalid values(rekey time breaks if 0 is in field, should be blank), mismatched tunnel IDs(the above patch addresses this), widget problems, reports of secrets getting mangled, P2 that are no longer transmitting data.
-
@mmapplebeck Thanks!
That patch did fix the Ipsec status page.Lots of issues indeed :-(
I will play with it for another day or two, but then I'll need to revert back to code that I know works...If anybody needs any logs, testing, etc. to troubleshoot this issue please let me know.
-
Really not a happy camper....
After loading my old config, my IPsec remote clients aren’t working either....
So I needed to go back to 2.4.5.... so I threw in the USB with the image I got from Netgate and it erased the flash and then booted and said “unsupported system, no serial number”....🤬
This is a real deal SG1100!!!!
So now I’ve got a brick.... -
@mystic330 I am not sure if I hit the same issue as you, but:
when I enable hw crypto one of my tunnels does not work (I am quite sure it's a Cisco on the other side).
After disabling hw crypto and a reboot the same tunnel config works. Tested again right now.
-
@sgw I can confirm disabling hw crypto on our SG-1100 running 21.02 fixed our tunnels to a Sonicwall. We had the same issues as the OP, tunnels connected but no traffic flowing inside.
