IPSEC and ROUTING or RESOLUTION LOST
-
There are so many IPSEC posting that are related that I decided to capture my test results here under terms using IPSEC, ROUTING, NAME RESOLUTION, DNS, PING, etc.
You can review my recent postings from 7/7/2013-7/8/2013 to see the various details and permutations of my testing.
Essentially, here is my finding (supported in redmine posts also):
I have been using 1.2.3, 2.0.3, and latest snapshot as my SOURCE at home to connect to DESTINATIONS sites ranging from pfSense 1.2.3 to 2.0.3. No problem connecting to 1.2.3 remote sites via IPSEC. I finally reproduced consistently that destination must be 2.0.3 (perhaps the 2.x tree even ) for IPSEC connection to eventually time out; where connection still works but no routing or name resolution occur after second reconnect attempt (after several minutes).
If my source is DD-WRT, it does not matter whether I am connecting to destination 1.2.3 or 2.0.3, it works always. I tried all types of Shrewsoft client settings and pfSense settings (type of cipher, DPD, NAT-T, etc - results are the same). You must restart racoon service to get back to normal.
You can reproduce this IPSEC issue by being behind 1.2.3 - to current snapshot and you connect to a remote 2.x site using Shrewsoft VPN client and waiting to reconnect 5 minutes or later - you will lose routing and obviously name resolution. From my readings here, this not only affects IPSEC client connections, but even IPSEC VPN Site to site (I have not personally tested this scenario). I am done testing this - I am 100% certain of this issue.
http://redmine.pfsense.org/issues/1351 still exists and is confirmed.