IPsec VTI does not pass traffic on 2.6.0
-
@jimp Hi very happy to start a new thread - lets call it 2.6.0 ipsec is broken - dont upgrade (yet).
Seriously - in the few days there appears to a lot of activity around ipsec having issues on 2.6 and people here trying to assist and fix their broken networks (remember this is a release version)
As a netgate developer how about you start a new thread for Systems that have had ipsec fail after upgrading from 2.5 to 2.6 and from there you can be particular about what information you want to put where.
Whether it be the VTI is broken, the tunnel is broken, the routing is broken - hey it just stopped working after upgrading. Most customers are coming here looking or answers on why it stopped after upgrading.
My offer is still open for you to look at a working 2.5 - we can revert to 2.6 and you can diagnose it anyway you want. You can have remote access; Im keen for this to be resolved rather than sitting back concerned im posting into the wrong thread about a general ipsec failure.
-
It is working for the vast majority of people, such a dire warning is unwarranted. It has been thoroughly tested internally and over the last six months or more in snapshots including heavy use on Netgate infrastructure used by all of our employees.
Keep your thread subjects relevant, for example "IPsec VTI tunnel will not reconnect on 2.6.0" or similar. Do not assume it's happening to anyone but you, and do not assume your problem is identical to others. Only after diagnosing the problem can such a determination be made.
It's important to keep each report separate so that the details do not get confused.
-
This post is deleted! -
@jimp
Here's the outputs.
https://github.com/thatsysadmin/pfsense_2.6.0_IPsec_troubleshootingOne thing;
/var/etc/swanctl.conf
doesn't exist, did you mean/var/etc/ipsec/strongswan.conf
? -
@thatsysadmin said in IPsec VTI does not pass traffic on 2.6.0:
@jimp
Here's the outputs.
https://github.com/thatsysadmin/pfsense_2.6.0_IPsec_troubleshootingOne thing;
/var/etc/swanctl.conf
doesn't exist, did you mean/var/etc/ipsec/strongswan.conf
?I meant
/var/etc/ipsec/swanctl.conf
, I've edited the post above. I'll check out the other info and see if anything stands out. -
You have two P2s on that tunnel, one tunnel mode and one VTI. That isn't a valid configuration and it's unnecessary. You should remove the tunnel mode entry (not just disable it). If you do that and then stop IPsec, then start IPsec, it might start working.
That would explain the reqid mismatching which is likely why traffic isn't passing. In
setkey
it shows it's looking for reqid5001
but inifconfig
the interface is set for5002
. -
@jimp
After a reconfiguration of the interfaces, it works. Thanks for all your help.But why would having one of the phase 2s disabled break the whole thing though; shouldn't it be disregarded if it was disabled?
-
@thatsysadmin ahh interesting - I think I might have some disabled too.. After 2.5.2 left the status on P2 messed up i've not been actively monitoring them. If you have a testing setup does disabling them at EITHER end break 2.6
-
I too also had some lingering Phase 2's configured for tunnel mode, albeit in a disabled state as they were from before I made the switch to route-based.
After wrestling to remove these within 2.5.2 - which required reconfiguring the VTI setup - the VPN eventually started passing traffic again. After this, I took the plunge to 2.6.0 and it came back up successfully without any changes needed.
So it does seem like the common issue here in that if using routed mode (VTI) with old tunnel mode phase 2's still setup - even if they're disabled - prevents the s2s from passing traffic.
Glad we got there in the end :) Thanks for your assistance @jimp
-
@thatsysadmin said in IPsec VTI does not pass traffic on 2.6.0:
But why would having one of the phase 2s disabled break the whole thing though; shouldn't it be disregarded if it was disabled?
It could probably handle that better, but it's not a valid combination to have a mix of tunnel and VTI even if some are disabled. They should all be the same type, and really there should be at most one VTI P2 per address family (so one IPv4, one IPv6). I'm not sure if we have validation which actively checks for and prevents that yet, though.