Not able to set Local Network to Network in IPsec Phase 2
-
I just acquired a SG-5100 running the latest 21.05-RELEASE and I am struggling to set up an IPsec (Routed (VTI)) connection to another pfSense box (SG-7100) running 2.4.4-RELEASE-p3.
The SG-7100 box is set up with multiple IPsec connections and I have set up this new connection similar to the other IPsec tunnels on the SG-7100. Only difference is that I am not able to set and save the Local Network as "Network". I can choose "Network" in the drop-down but it will be saved as "Address".
Could this be the culprit of my connection issue and is there a way to force it to save as Network?
The log for IPsec on my end is flooded with these two lines (IP addresses replaced):-
charon 35542 15 [KNL] creating acquire job for policy xxx.xxx.xxx.xxx/322|/0 === yyy.yyy.yyy.yyy32|/0 with reqid {1}
-
charon 35542 15[CFG] trap not found, unable to acquire reqid 1
-
-
Edit: Ahh, it's VTI mode. Didn't notice.
-
@ar-thomas VTI IPSec is different that a policy IPSec connection. You aren’t making policies for networks rather you are merely creating a gateway over which you can route specific traffic based on static routes and policy based routing. There was a very helpful hangout that was done on VTI IPSec righty after it was included in pfsense. I’ve referred to it a few times over the years myself. It can be found at:
https://www.slideshare.net/NetgateUSA/routed-ipsec-on-pfsense-244-pfsense-hangout-june-2018
As the hangout and the pfsense documentation indicate, you need to be very sure that the settings, Ike type (should be 2), encryption and hash, etc, are exactly the same in both the 7100 and 5100.
Try setting things up from scratch after reviewing the slides and, if you still have issues, please post screenshots of your P1, P2, gateway and static routes for both sides.
Also, any reason you haven’t updated the 7100 to 21.05?