Parallel tunnel worked well on 1.0.1 (snapshot) but it does not work on 1.2b1



  • I've used parallel multi network ipsec tunnel with pfsense 1.0.1 and 1.0.1 snapshot without any problem but today I found that it does not work with pfsense 1.2 Beta1. Below is my testing environment.

    pfsense A (allow mobile client)
    Lan 192.168.1.1/24

    pfsense B
    tunnel 1 : 192.168.4.1/27  ->  192.168.1.1
    tunnel 2 : 192.168.4.128/27  ->  192.168.1.1

    I used same domain identifier for tunnel 1 and 2.

    It's no matter whether A is 1.0.1 or 1.2 beta1. But B should be 1.0.1 (snapshot) to make these two tunnel work.

    With 1.0.1 (snapshot), ping from 192.168.4.1 and 192.168.4.128 reaches to 192.168.1.1 simultaneously.

    With 1.2 beta1, ping from 192.168.4.1 and 192.168.4.128 reaches to 192.168.1.1 by turns. The second can reach to destination after first one fails.

    I think there are some changes in ipsec from 1.0.1 snapshot to 1.2 beta1. Can it be went back to 1.0.1 snapshot so that parallel multi network tunnel be available?

    Thanks





  • Tested it again with the update. But the update could not fix this problem.



  • Today I tested it with testing update dated on 5/27. But it couldn't fix the parallel tunnel problem as well.



  • Actually I wonder that this should have worked with one end being a mobile ipsec enabled node as you only can use one identifier for that end and you need unique identifiers for each tunnel so the two tunnels don't get mixed up. I never got parallel tunnels to work between non static endpoints with one end doing mobile ipsec, with no version of pfSense and no version of m0n0 either btw.



  • Surprised!! Then, had nobody not succeeded in parallel ipsec tunnels with same idetifier?
    As I remember it was available from 1.0.1 version. And I've used.

    I made the test again with 1.0.1 snapshot to show you the evidence.

    <pfsense box="" a="">1.2 Beta1
    Wan IP: 192.168.2.198
    LAN IP: 192.168.1.1/24
    Enabled "Allow mobil clinet"
    Identifier in Pre-shared kyes: test.com

    config.xml

    <ipsec><preferredoldsa><preferoldsa><enable><mobileclients><enable><p1><mode>aggressive</mode>
    <myident><myaddress></myaddress></myident>
    <encryption-algorithm>blowfish</encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>1</dhgroup>
    <lifetime><private-key><cert><authentication_method>pre_shared_key</authentication_method></cert></private-key></lifetime></p1>
    <p2><protocol>esp</protocol>
    <encryption-algorithm-option>blowfish</encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup></p2></enable></mobileclients>
    <mobilekey><ident>test.com</ident>
    <pre-shared-key>hhhhhh7777wwwwww</pre-shared-key></mobilekey></enable></preferoldsa></preferredoldsa></ipsec>

    <pfsense box="" b="">1.0.1 snapshot
    Wan IP: 192.168.2.197
    Lan IP: 192.168.4.1/24

    Tunnel 1: 192.168.4.1/27 -> 192.168.1.1/24  My Identifier(domain): test.com
    Tunnel 2: 192.168.4.128/27 -> 192.168.1.1/24  My Identifier(domain): test.com

    config.xml

    <ipsec><preferredoldsa><enable><tunnel><interface>wan</interface>
    <local-subnet><address>192.168.4.1/27</address></local-subnet>
    <remote-subnet>192.168.1.1/24</remote-subnet>
    <remote-gateway>192.168.2.198</remote-gateway>
    <p1><mode>aggressive</mode>
    <myident><fqdn>test.com</fqdn></myident>
    <encryption-algorithm>blowfish</encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>1</dhgroup>
    <lifetime><pre-shared-key>hhhhhh7777wwwwww</pre-shared-key>
    <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></lifetime></p1>
    <p2><protocol>esp</protocol>
    <encryption-algorithm-option>blowfish</encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup></p2>
    <descr><pinghost>192.168.1.1</pinghost></descr></tunnel>
    <tunnel><interface>wan</interface>
    <local-subnet><address>192.168.4.128/27</address></local-subnet>
    <remote-subnet>192.168.1.1/24</remote-subnet>
    <remote-gateway>192.168.2.198</remote-gateway>
    <p1><mode>aggressive</mode>
    <myident><fqdn>test.com</fqdn></myident>
    <encryption-algorithm>blowfish</encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>1</dhgroup>
    <lifetime><pre-shared-key>hhhhhh7777wwwwww</pre-shared-key>
    <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></lifetime></p1>
    <p2><protocol>esp</protocol>
    <encryption-algorithm-option>blowfish</encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup></p2></tunnel></enable></preferredoldsa></ipsec>

    After established these two tunnels, ping from 192.168.4.1 and 192.168.4.128 can reach to 192.168.1.1 simultaneously.

    I attached the images of Box A's SPD and Box B's Ipsec page.

    Now 1.2Beta1 cannot made these two tunnels even if I use different identifiers.

    Thank you.




    </pfsense></pfsense>



  • I tested it with pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-06-06-2007.tgz today. But the parallel tunnel is not available with the latest update too.

    Pls Pls fix this problem. I think parallel tunnel is a very usful ipsec function.

    Thank you.


Log in to reply