IPSECD VPN Phase-2 configuration disappearing
-
Adding to discussion.
Same for me as scurriers post from March 9.
P1 + P2 running for years, now all P2 disappeard from a specific P1 config.There are still 9 of 12 P2 established though of that P1.
Will restore it from documentation. -
That was also after making some other config change?
In which pfSense version?
-
Hello. We had the same issue yesterday night 14th of July 2025 to today 15th July 2025.
We have 5 IPSEC VPN tunnels entered in our v2.7.2 pfSense (all with P2 entries), of which 3 IPSECs (P1s) were productive. The pfSense itself is hosted on a VM in Microsoft Azure and it has an uninterrupted runtime of 375 days now.
Somewhen in the night, nobody was working at the company, the pfSense lost all underlying P2 entries on two IPSEC P1 entries (one of these tunnels was deactivated/non-productive, but the other one was productive).The business critical outage was reported to me in the early morning and I nearly needed two hours to find the root course of the outage, because I could not imagine the tunnel config could have changed itself. So at first I investigated the internet connections, also with our ISP, and restarted local hardware, but that did not help.
I checked the logs to make sure the pfSense environment didn´t get compromised, but there are no logins on the webgui or via ssh recognizable for us.
Though I was able to observe an anomaly in the logs. I attached the screenshot so there is some basis to investigate the issue.Had to insert as a picture instead of reading and copy friendly raw code because the forum anti-spam flags it and prevents us posting...
As from the current point of view, we assume there is a critical software bug leading to these deletions, because we can´t find a reasonable explanation on our behalf rn. Imo this should be further investigated by netgate with a high priority, please, because we don´t really understand what caused this self-destructive behavior of the pfSense application.
(For ourselves, we restored the P2 entries manually, so this is short-term solved for us now, but what if this issue strikes again? We have no feel of security on the reliablity of the application right now). Thanks in advance for your feedback and kind regards from Germany. -
Had they actually been removed from the config or just the running tunnels?
I don't see any logs showing a config change there. Nothing of note really except packet loss on the WAN
-
@baustoffewolf If I remember correctly from my experience, my P2s also disappeared spontaneously.
When I went combing through the config history, it looks like a change to an (unrelated) tunnel made months earlier when the bug had wiped out the affected P2 at that time in the config. I'm not sure what event causes the tunnel config to actually reload but it can be very far down the line.
-
It's possible the config was changed and not reloaded at the time if the usual process was not used. Somehow. Then later some other event caused IPSec to reload and pulled in the new config values.
There should still be something logged somewhere though.
-
@stephenw10 Gone from the config too. You could see in the config diff view that when I had removed a different P1 months ago, the P2s from the affected tunnel were removed too when the UI saved the changes.
-
But somehow didn't actually remove them from the running IPSec until some time after that?
-
@stephenw10 Correct. Way longer than the tunnel rekey times, so something must prompt a configuration reload outside of that.
Or maybe the tunnel went down at some point and the config was reloaded when a reconnect was attempted. -
Unfortunately this issue is still present in 25.07.1-RELEASE
I just added a 'new' IPSec P1, and upon saving there were 2 P2s already visible, that were used on a tunnel that was deleted at least a year ago.
-
Hmm, were they still present in the config somehow?
