IPsec failing with 21.02-p1
I am experiencing a failure of all IPsec tunnels following an upgrade to upgrade to 21.02-p1. There different IPsec configurations:
- A site to site between pfSense and a Cisco
- A site to site between pfSense 21.02-p1 and pfSense 2.4.5
- A mobile between iPhones and pfSense 21.02-p1.
These worked following the upgrade to 21.02, but failed following the upgrade to 21.02-p1.
The errors very quite a bit:
For the site to site with Cisco, I'm seeing "received AUTHENTICATION_FAILED notify error".
For the site to site with pfSense 2.4.5, it looks like the negation starts fine, but then drops into retransmitting message ID 0 in a loop.
For the mobile IPsec, I seeing "no IKE config found".
Is there a convenient way to back out to 21.02?
There were no changes to IPsec on 21.02-p1 after 21.02. It would be the same on both. The only change in 21.02-p1 was a kernel fix for SG-3100 stability.
There are a number of problems on 21.02/2.5.0 which could lead to those symptoms, though. There are several threads here in the IPsec category with a list of patches to apply as a first step.
@jimp So, after a lot of experimenting I know what is happening, I just don't know why.
The problem is that swanctl.conf is being written with the wrong IPv4 address for "local_addrs" and for "id".
I have Virtual IPs configured to support 1:1 NAT in the DMZ. When IPv6 / DHCP6 is in use on the WAN interface, swanctl is written with the first Virtual IP address rather than the address of the firewall itself.
Consider the following steps:
1: Set IPv6 Configuration Type for WAN to None. Reboot. After boot, IPv4 addresses in swanctl for local_addrs and id are correct, corresponding to the IP address of the WAN interface. IPsec functions correctly.
2: Set IPv6 Configuration Type for WAN to DHCP6. After the DHCP lease is granted, IPv6 addresses are added to local_ts and remote_ts in bypasslan. IPv4 addresses for local_addrs and id are correct, corresponding to the IP address of the WAN interface. IPsec functions correctly.
3: Reboot. After boot, IPv4 addresses for local_addrs and id are incorrect, corresponding to the first Virtual IP rather than the address of the WAN interface. IPsec does not function.
Sounds a bit crazy, yes. But it is completely repeatable.
OK, that is one we are aware of then:
@jimp Thanks Jim