Multiple Site-To-Site IPsec Problem



  • Hello, I have a pfSense instance with a static IP, 192.168.2.0/24 on a static IP

    Prior to my upgrade to 2.0 Release (I think I was using build RC1), I had a setup similar to:

    Phase 1 mobile tunnel, Mutual PSK, Aggressive Mode, 3DES, MD5, DH Group1, 28800 key lifetime
    Phase 2 (a) ESP, 3DES, MD5, PFS Group1, 28800 key lifetime

    Phase 2 (f) ESP, 3DES, MD5, PFS Group1, 28800 key lifetime

    So 6 phase 2 entries for VPN endpoints that all have dynamic IP addresses.  Each had a unique ID/PSK

    This configuration worked fine.

    I upgraded to 2.0-Release, and racoon would not start due to a configuration error.

    I noticed that the line number of the error was related to the mobile VPN, so I deleted the phase 1/phase 2's for dynamic IP sites

    Tried to re-create them and I cannot create more than one Phase 2 with the same LAN

    Not only that, but not a single one will connect.  All error out with "no valid sa" or "no remote configuration".  I can post the full log, but I have racoon debug on at the moment and don't want to flood the post if I am missing something obvious (to others).

    Any idea how I can get this config back with  multiple phase 2's and the same LAN entry?

    Thanks in advance for any advice.



  • Just to update, after leaving this alone all night I do see SAD and SPD entries for the dynamic IP sites, but no data sent/received and I am unable to ping any of them.


Log in to reply