IPSec lan-to-lan doesn't work after PfSense upgrade to 2.2
-
Hello,
yesterday i upgraded our PfSense in the datacenter with the new 2.2 release.Before the upgrade, i was able to configure IPSec VPN between Meraki security appliances, pfsense firewalls and FortiGate, but after the upgrade, all vpn tunnels won't bring up.
I tried to reload the vpn service and reboot all the devices, reconfigure again the IPSec without success.
Someone is experiencing the same problem and knows how to solve it?
Thank you!
Riccardo -
Logs?
-
Ikev1 or ikev2 ?? We had problems when we switched to Ike 2 on 2.2 but ikev1 worked fine. On our lab setup the site to site Ikev2 will go down after a few hours and does not come up … It might have to do something with our DPD settings or reauth but we haven't figured it out. You can try IKEV1 if you are having issues with IKEV2.
SAM
-
Hello,
same problem here. After upgrading to version 2.2 a VPN between two pfSense 2.2 firewalls don't work anymore.
In both firewalls IKE is configured with version 1, just… the tunnel seams to be established, just the packets don't flow anymore through the tunnel.May be related to NAT? In both firewalls NAT traversal is set to AUTO.
Thanks,
Michele -
Thanks for your responses,
someone suggested me to change the mode of Phase1 from aggressive to main, as described on the pfsense guide but nothing change.it's strange because when i click on connect, on the IPSec diag page, the page is loading very fast and the status didn't change; i setup also the outbound NAT in automatic, in order to avoid any nat related issues.
I seen that i can choose more details on IPSec logs, what do you need in order to have all the necessary information?.. attached the page with the information that i'm asking.
I setup my IPSec connection with IKE v1, because some firewalls do not support IKE v2.
Attached, you can also see my IPSEC configuration.
Thank you,
Riccardo
 -
maybe i found a solution, at least it worked for me:
in IPSEC Phase 1 -> Phase 1 proposal (Authentication)
use the external IP adress of your box as "My identifier" on both sides
it seems the preshared key will not be matched correctly if "my identifier" is set to "my IP Adress"
i didn't use any FQDN's - just ip adresses everywhere
cheers,
palu
-
Hi Palu,
Thanks for your suggestion, now the IPSec tunnel bring up, but no traffic is passing into the tunnel.i setup the outbound NAT as automatic, but i cannot reach the remote site.
Riccardo
-
Hi Riccardo,
hmmm, i can't verify since NAT is done in my DSL router, so i use "Manual Outbound NAT rule generation" in NAT section.
You could give "Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)" a try, and add a "no NAT" rule for your internal LAN to the target LAN.
-
OK, it works, but this can be only a temporary workaround because i have some IPSec VPNs with dynamic IP addresses, so i cannot put the public IP in the "My Identifier" field, and, this workaround do not works with all the 3rd parties firewall, like Cisco Meraki etc…
:(.i see on this forum that someone do not have any kind of issues with IPSec VPN, maybe something goes wrong during upgrade?
Riccardo
-
i guess it will work with FQDN, too (if also used for preshared key so it can be matched), so you can use dynamic adresses.
just make shure preshared key identifier = my identifier in phase 1 proposal
-
mmmhhh… there is something wired.
It worked after I forced NAT-T in both nodes. But... if from one node I try to access the webconfigurator of the Main office pfsenes, that box just REBOOTS!! :SThis is veeeeery wired... I think I'm going to rollback to version 2.1.5 very soon! :(
-
same probleme here !
ikev1 main mode
all ok with racoon (2.1.5) before update to 2.2. -
it was too bad, I had to roll-back both firewalls on the main office.
I mean, the VPN was working, not so stable as on version 2.1.5 but was working, but the "I access the webconfigurator from a remote node and I crash the system" was too much for a production environment. :(
-
Try on 2.2 to set Phase 1 Key Exchange version to auto. It helped me to get the other end back.
-
Tonight i decided to rollback the pfsense configuration to 2.1.5 and i think to do not upgrade 'till the issue with VPNs will be solved.
Personally, i don't know why they decided to replace racoon with another service that is causing a lot of issues with VPNs, racoon works very well!…
Riccardo
-
2.2 <=> 2.2 works with IKEv2.
2.1.5 <=> 2.2 Dont work at all with IKEv1 Confirm!So far ipsec with strogSwan has been like using ALPHA release. Sorry to say this, but I have also a lot of troubles with ipsec with version 2.2-RELEASE. Mobile VPN works only with IP identifier, site-to-site wont work at all between 2.1.5 - 2.2.
IPSEC must ge a lot of attention now - this feels like we have pfSense's "Vista" here!
Version 2.2.1 must be here tomorrow? :-X
-
Tonight i decided to rollback the pfsense configuration to 2.1.5 and i think to do not upgrade 'till the issue with VPNs will be solved.
Personally, i don't know why they decided to replace racoon with another service that is causing a lot of issues with VPNs, racoon works very well!…
Riccardo
Because racoon is outdated like shit and does not support state of the art mobile connections. I has it's own bugs which could be worked around "easily" fiddling with the config.
Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time. -
Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.
Could be, but I didn't see the problem in 2.2-RC with a 12-9-2014 build. After upgrading 1 of the 2 routers in a dual-wan CARP test, however, I can never establish a connection with the 2.2-RELEASE router but when it fails over to the 2.2-RC router IPSEC works.
-
Because racoon is outdated like shit and does not support state of the art mobile connections. I has it's own bugs which could be worked around "easily" fiddling with the config.
Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.Yes - racoon might be outdated like shit, but strongSwan is buggy like Flash. I rather work with one working back end with it's known limitations rather than all around buggy back end with numerous problems. Look at this forum - it's full of mysterious problems. If this would be done correctly - racoon should be here as one ipsec default core and strongSwan as option. Jimp and Ermal has done a lot effort to get 2.2 out, but this ipsec part seem to be epic failure. Ipsec is so important part of pfSense that community of pfSense should fix this fast - I mean FAST!
!!! Now DO NOT UPDATE TO 2.2 IF YOU USE IPSEC !!!!!
It will be catastrophic failure in operative use!
-
Please do not hijack threads of others.
Solve your problems on your posts. -
To come back to the problem, if the tunnel is up but no traffic is coming through, can you further specify it?
Is there only some traffic (like small ping packets) that get through or is it nothing at all.
Because I experience a problem where fragmented packets get lost. https://forum.pfsense.org/index.php?topic=87610.0
Maybe you want to perform similar analysis to confirm that your current problem is similar or not.