IPSec VPN for mobile users
linuxg33k last edited by
I love PFSense. I use it for pretty much everything. I'm noticing an issue that is becoming more and more prevalent as time progresses. I have a PFSense IPSec VPN setup for mobile warriors. At the start of the day, if I establish the VPN connection, I can see all resources on the remote subnet with no problems, however, if I drop the connection and wait a few minutes then reconnect to the VPN, the tunnel comes up with no problems, but I cannot ping or communicate to any devices across the tunnel. Any help would be much appreciated.
I am not sure I am having the same problem as you but I do see issues with IPSec VPN. What I am seeing is that everything work fine for the first connect for an IP but after disconnection, it looks like things are not cleaned up correctly which causing problems when another client connects and is assigned to that IP address. This is on pfSense 2.1-BETA1.
On an idle system, this breaks consistently for me:
- make sure ipsec SAD / SPD are empty.
- connect with iPhone. Everything works. IP: 10.1.12.1
- disconnect iPhone.
- connect Laptop, nothing works. IP: 10.1.12.1
From then on, the IP 10.1.12.1 will not work.
I have seen this ticket, I am in one of the updated, but seeing the problem was still around was hoping somebody here had found a solution.
Being stuck home sick and bored, I went digging through the racoon code this evening and I at least found what is going on with why the SPD are not being removed in my case. Racoon has a check to see if the created timestamps match before removing the SPD entries. Unfortunately, the local patch (patch11-purge_sp_fix.diff) changed things so a timestamp is passed instead of zero. Before this patch, the value passed was hard coded to zero which, in my case, causes the test to pass. Removing this patch and I have been able to connect with multiple clients in many different orders without issues. Not sure what should be done at this point.
I took a stab at fixing this problem. Details here: