IPsec VTI does not pass traffic on 2.6.0
-
This post is deleted! -
@jimp
Here's the outputs.
https://github.com/thatsysadmin/pfsense_2.6.0_IPsec_troubleshootingOne thing;
/var/etc/swanctl.conf
doesn't exist, did you mean/var/etc/ipsec/strongswan.conf
? -
@thatsysadmin said in IPsec VTI does not pass traffic on 2.6.0:
@jimp
Here's the outputs.
https://github.com/thatsysadmin/pfsense_2.6.0_IPsec_troubleshootingOne thing;
/var/etc/swanctl.conf
doesn't exist, did you mean/var/etc/ipsec/strongswan.conf
?I meant
/var/etc/ipsec/swanctl.conf
, I've edited the post above. I'll check out the other info and see if anything stands out. -
You have two P2s on that tunnel, one tunnel mode and one VTI. That isn't a valid configuration and it's unnecessary. You should remove the tunnel mode entry (not just disable it). If you do that and then stop IPsec, then start IPsec, it might start working.
That would explain the reqid mismatching which is likely why traffic isn't passing. In
setkey
it shows it's looking for reqid5001
but inifconfig
the interface is set for5002
. -
@jimp
After a reconfiguration of the interfaces, it works. Thanks for all your help.But why would having one of the phase 2s disabled break the whole thing though; shouldn't it be disregarded if it was disabled?
-
@thatsysadmin ahh interesting - I think I might have some disabled too.. After 2.5.2 left the status on P2 messed up i've not been actively monitoring them. If you have a testing setup does disabling them at EITHER end break 2.6
-
I too also had some lingering Phase 2's configured for tunnel mode, albeit in a disabled state as they were from before I made the switch to route-based.
After wrestling to remove these within 2.5.2 - which required reconfiguring the VTI setup - the VPN eventually started passing traffic again. After this, I took the plunge to 2.6.0 and it came back up successfully without any changes needed.
So it does seem like the common issue here in that if using routed mode (VTI) with old tunnel mode phase 2's still setup - even if they're disabled - prevents the s2s from passing traffic.
Glad we got there in the end :) Thanks for your assistance @jimp
-
@thatsysadmin said in IPsec VTI does not pass traffic on 2.6.0:
But why would having one of the phase 2s disabled break the whole thing though; shouldn't it be disregarded if it was disabled?
It could probably handle that better, but it's not a valid combination to have a mix of tunnel and VTI even if some are disabled. They should all be the same type, and really there should be at most one VTI P2 per address family (so one IPv4, one IPv6). I'm not sure if we have validation which actively checks for and prevents that yet, though.