PFSense - IPSEC to Fortigate - Too Many Phase 2 SA's kills Tunnel
-
Good Afternoon
Happy Friday - Thank You in advance for your time.....
We have an policy based IPSEC Tunnel configured between the PFSense and Fortigate Firewall. We have (2) entries in the Phase 2 and that passes traffic perfectly. When I start to add Phase 2 Entries on the PFSense and bring up that Security Association on the Fortigate - I would expect to see it up on the PFsense Side.....I see Some but not all. I see them up on the Fortigate side but I dont see it on the PF Sense side. When it start to get to 6 networks on the Phase 2 - The 1st (2) networks in the Tunnel that was able to pass traffic.....Stops working.
I tried to add 0.0.0.0/0 for Local and Remote Network but the PFSENSE barks back at me saying that the Phase 2 Networks cannot overlap from the phase 1 Peer Addresses./
Not sure if this was resolved in a later version......
Thanks Again
We are running version :
2.5.2-RELEASE (amd64)
-
I have fixed it for now.
The Current tunnel configurations was setup as IKEv1. I have converted both sides of the tunnels to IKEv2 and I can now see all the SA's on the PFSENSE SIDE and they match the networks on the Fortigate Side.
I am able to pass traffic on my 2 test networks. I will add more networks on Monday....If I can pass traffic on all 14 of the networks ....then I am good. if not, IKEv2 on the PFSENSE Side provided the Ability to split connections. You can read more about split connections in this document.
https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configure-p1.html#advanced-options
Thank You