Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot restart ipsec service, is there a way to determine if ipsec config has been loaded?

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 562 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gustavgans
      last edited by gustavgans

      I'm having trouble adding another IPSEC Phase2. One fireweall says "no child SA found" (although the left/right subnet config is the same on both sides).

      I suspect this is because the config has not been loaded, when checking on the CLI with "ipsec statusall" I don't see the Phase2 connection I've added via webinterface. In /var/etc/ipsec/ipsec.conf the Phase2 entry is there, though.

      Also, the "ipsec statusall" command told me the charon daemon is running since 1600 days, so I figured I'd just restart the ipsec service via webinterface buttons in the upper right corner. But after the "restart" it still shows 1600 days uptime for the charon daemon and the ipsec connections did not drop, so I guess it didn't restart.

      Found these commands here on the forum:
      pfSsh.php playback svc stop ipsec
      pfSsh.php playback svc start ipsec

      and tried them, but they didn't work.

      Is there a way to determine if the config has been loaded by that daemon?

      Is there another way to restart the daemon maybe? Without restarting the whole pfsense?

      PfSense Version is 2.3.2.

      jimpJ 1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate @gustavgans
        last edited by

        @gustavgans said in Cannot restart ipsec service, is there a way to determine if ipsec config has been loaded?:

        PfSense Version is 2.3.2

        That version is several years out of date. You aren't going to get a lot of help trying to diagnose a problem on a version that old. Update to a current supported version and if you still have problems, there are ways to debug that better there using swanctl.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          gustavgans
          last edited by

          Upgrade is not an option unfortunately, it's a production system. Even rebooting is not really an option (downtime), that's why I asked the above question.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            2.3.2 is 6 years old. No system is so important that it can't have any downtime in 6 years to upgrade, and if it was, it should be in HA so upgrades have minimum impact.

            Upgrade.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 2
            • jimpJ jimp locked this topic on
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.