Cannot restart ipsec service, is there a way to determine if ipsec config has been loaded?

gustavgans

I'm having trouble adding another IPSEC Phase2. One fireweall says "no child SA found" (although the left/right subnet config is the same on both sides).

I suspect this is because the config has not been loaded, when checking on the CLI with "ipsec statusall" I don't see the Phase2 connection I've added via webinterface. In /var/etc/ipsec/ipsec.conf the Phase2 entry is there, though.

Also, the "ipsec statusall" command told me the charon daemon is running since 1600 days, so I figured I'd just restart the ipsec service via webinterface buttons in the upper right corner. But after the "restart" it still shows 1600 days uptime for the charon daemon and the ipsec connections did not drop, so I guess it didn't restart.

Found these commands here on the forum:
pfSsh.php playback svc stop ipsec
pfSsh.php playback svc start ipsec

and tried them, but they didn't work.

Is there a way to determine if the config has been loaded by that daemon?

Is there another way to restart the daemon maybe? Without restarting the whole pfsense?

PfSense Version is 2.3.2.

jimp

@gustavgans said in Cannot restart ipsec service, is there a way to determine if ipsec config has been loaded?:

PfSense Version is 2.3.2

That version is several years out of date. You aren't going to get a lot of help trying to diagnose a problem on a version that old. Update to a current supported version and if you still have problems, there are ways to debug that better there using swanctl.

gustavgans

Upgrade is not an option unfortunately, it's a production system. Even rebooting is not really an option (downtime), that's why I asked the above question.

jimp

2.3.2 is 6 years old. No system is so important that it can't have any downtime in 6 years to upgrade, and if it was, it should be in HA so upgrades have minimum impact.

Upgrade.