Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec lan-to-lan doesn't work after PfSense upgrade to 2.2

    IPsec
    10
    21
    7635
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Riccardo90 last edited by

      Hello,
      yesterday i upgraded our PfSense in the datacenter with the new 2.2 release.

      Before the upgrade, i was able to configure IPSec VPN between Meraki security appliances, pfsense firewalls and FortiGate, but after the upgrade, all vpn tunnels won't bring up.

      I tried to reload the vpn service and reboot all the devices, reconfigure again the IPSec without success.

      Someone is experiencing the same problem and knows how to solve it?

      Thank you!
      Riccardo

      1 Reply Last reply Reply Quote 0
      • G
        georgeman last edited by

        Logs?

        1 Reply Last reply Reply Quote 0
        • S
          sammybernard last edited by

          Ikev1 or ikev2 ?? We had problems when we switched to Ike 2 on 2.2 but ikev1 worked fine. On our lab setup the site to site Ikev2 will go down after a few hours and does not come up … It might have to do something with our DPD settings or reauth but we haven't figured it out. You can try IKEV1 if you are having issues with IKEV2.

          SAM

          1 Reply Last reply Reply Quote 0
          • M
            mdima last edited by

            Hello,
              same problem here. After upgrading to version 2.2 a VPN between two pfSense 2.2 firewalls don't work anymore.
            In both firewalls IKE is configured with version 1, just… the tunnel seams to be established, just the packets don't flow anymore through the tunnel.

            May be related to NAT? In both firewalls NAT traversal is set to AUTO.

            Thanks,
            Michele

            1 Reply Last reply Reply Quote 0
            • R
              Riccardo90 last edited by

              Thanks for your responses,
              someone suggested me to change the mode of Phase1 from aggressive to main, as described on the pfsense guide but nothing change.

              it's strange because when i click on connect, on the IPSec diag page, the page is loading very fast and the status didn't change; i setup also the outbound NAT in automatic, in order to avoid any nat related issues.

              I seen that i can choose more details on IPSec logs, what do you need in order to have all the necessary information?.. attached the page with the information that i'm asking.

              I setup my IPSec connection with IKE v1, because some firewalls do not support IKE v2.

              Attached, you can also see my IPSEC configuration.

              Thank you,
              Riccardo

              ![Screen Shot 2015-01-26 at 20.38.11.png](/public/imported_attachments/1/Screen Shot 2015-01-26 at 20.38.11.png)
              ![Screen Shot 2015-01-26 at 20.38.11.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-26 at 20.38.11.png_thumb)
              ![Screen Shot 2015-01-26 at 21.24.34.png](/public/imported_attachments/1/Screen Shot 2015-01-26 at 21.24.34.png)
              ![Screen Shot 2015-01-26 at 21.24.34.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-26 at 21.24.34.png_thumb)
              ![Screen Shot 2015-01-26 at 21.23.25.png](/public/imported_attachments/1/Screen Shot 2015-01-26 at 21.23.25.png)
              ![Screen Shot 2015-01-26 at 21.23.25.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-26 at 21.23.25.png_thumb)

              1 Reply Last reply Reply Quote 0
              • P
                palu last edited by

                maybe i found a solution, at least it worked for me:

                in IPSEC Phase 1 -> Phase 1 proposal (Authentication)

                use the external IP adress of your box as "My identifier" on both sides

                it seems the preshared key will not be matched correctly if "my identifier" is set to "my IP Adress"

                i didn't use any FQDN's - just ip adresses everywhere

                cheers,

                palu

                1 Reply Last reply Reply Quote 0
                • R
                  Riccardo90 last edited by

                  Hi Palu,
                  Thanks for your suggestion, now the IPSec tunnel bring up, but no traffic is passing into the tunnel.

                  i setup the outbound NAT as automatic, but i cannot reach the remote site.

                  Riccardo

                  1 Reply Last reply Reply Quote 0
                  • P
                    palu last edited by

                    Hi Riccardo,

                    hmmm, i can't verify since NAT is done in my DSL router, so i use "Manual Outbound NAT rule generation" in NAT section.

                    You could give "Hybrid Outbound NAT rule generation (Automatic Outbound NAT + rules below)" a try, and add a "no NAT" rule for your internal LAN to the target LAN.

                    1 Reply Last reply Reply Quote 0
                    • R
                      Riccardo90 last edited by

                      OK, it works, but this can be only a temporary workaround because i have some IPSec VPNs with dynamic IP addresses, so i cannot put the public IP in the "My Identifier" field, and, this workaround do not works with all the 3rd parties firewall, like Cisco Meraki etc…
                      :(.

                      i see on this forum that someone do not have any kind of issues with IPSec VPN, maybe something goes wrong during upgrade?

                      Riccardo

                      1 Reply Last reply Reply Quote 0
                      • P
                        palu last edited by

                        i guess it will work with FQDN, too (if also used for preshared key so it can be matched), so you can use dynamic adresses.

                        just make shure preshared key identifier = my identifier in phase 1 proposal

                        1 Reply Last reply Reply Quote 0
                        • M
                          mdima last edited by

                          mmmhhh… there is something wired.
                          It worked after I forced NAT-T in both nodes. But... if from one node I try to access the webconfigurator of the Main office pfsenes, that box just REBOOTS!! :S

                          This is veeeeery wired... I think I'm going to rollback to version 2.1.5 very soon! :(

                          1 Reply Last reply Reply Quote 0
                          • A
                            Arthur last edited by

                            same probleme here !

                            ikev1 main mode
                            all ok with racoon (2.1.5) before  update to 2.2.

                            1 Reply Last reply Reply Quote 0
                            • M
                              mdima last edited by

                              it was too bad, I had to roll-back both firewalls on the main office.

                              I mean, the VPN was working, not so stable as on version 2.1.5 but was working, but the "I access the webconfigurator from a remote node and I crash the system" was too much for a production environment. :(

                              1 Reply Last reply Reply Quote 0
                              • C
                                Clouseau last edited by

                                Try on 2.2 to set Phase 1 Key Exchange version to auto. It helped me to get the other end back.

                                1 Reply Last reply Reply Quote 0
                                • R
                                  Riccardo90 last edited by

                                  Tonight i decided to rollback the pfsense configuration to 2.1.5 and i think to do not upgrade 'till the issue with VPNs will be solved.

                                  Personally, i don't know why they decided to replace racoon with another service that is causing a lot of issues with VPNs, racoon works very well!…

                                  Riccardo

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    Clouseau last edited by

                                    2.2 <=> 2.2 works with IKEv2.
                                    2.1.5 <=> 2.2 Dont work at all with IKEv1 Confirm!

                                    So far ipsec with strogSwan has been like using ALPHA release. Sorry to say this, but I have also a lot of troubles with ipsec with version 2.2-RELEASE. Mobile VPN works only with IP identifier, site-to-site wont work at all between 2.1.5 - 2.2.

                                    IPSEC must ge a lot of attention now - this feels like we have pfSense's "Vista" here!

                                    Version 2.2.1 must be here tomorrow? :-X

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      JoelLinn last edited by

                                      @Riccardo:

                                      Tonight i decided to rollback the pfsense configuration to 2.1.5 and i think to do not upgrade 'till the issue with VPNs will be solved.

                                      Personally, i don't know why they decided to replace racoon with another service that is causing a lot of issues with VPNs, racoon works very well!…

                                      Riccardo

                                      Because racoon is outdated like shit and does not support state of the art mobile connections. I has it's own bugs which could be worked around "easily" fiddling with the config.
                                      Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        Thale last edited by

                                        @JoelLinn:

                                        Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.

                                        Could be, but I didn't see the problem in 2.2-RC with a 12-9-2014 build.  After upgrading 1 of the 2 routers in a dual-wan CARP test, however, I can never establish a connection with the 2.2-RELEASE router but when it fails over to the 2.2-RC router IPSEC works.

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          Clouseau last edited by

                                          Because racoon is outdated like shit and does not support state of the art mobile connections. I has it's own bugs which could be worked around "easily" fiddling with the config.
                                          Frankly, there seem to be serious ipsec issues with 2.2 but as there were 0 bugs when they decided to roll the release out, I think a lack of adequate testing may be the reason. Perhaps the community should have done more in the pre-release time.

                                          Yes - racoon might be outdated like shit, but strongSwan is buggy like Flash. I rather work with one working back end with it's known limitations rather than all around buggy back end with numerous problems. Look at this forum - it's full of mysterious problems. If this would be done correctly - racoon should be here as one ipsec default core and strongSwan as option. Jimp and Ermal has done a lot effort to get 2.2 out, but this ipsec part seem to be epic failure. Ipsec is so important part of pfSense that community of pfSense should fix this fast - I mean FAST!

                                          !!! Now DO NOT UPDATE TO 2.2 IF YOU USE IPSEC !!!!!

                                          It will be catastrophic failure in operative use!

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri-- last edited by

                                            Please do not hijack threads of others.
                                            Solve your problems on your posts.

                                            1 Reply Last reply Reply Quote 0
                                            • J
                                              JoelLinn last edited by

                                              To come back to the problem, if the tunnel is up but no traffic is coming through, can you further specify it?
                                              Is there only some traffic (like small ping packets) that get through or is it nothing at all.
                                              Because I experience a problem where fragmented packets get lost. https://forum.pfsense.org/index.php?topic=87610.0
                                              Maybe you want to perform similar analysis to confirm that your current problem is similar or not.

                                              1 Reply Last reply Reply Quote 0
                                              • First post
                                                Last post

                                              Products

                                              • Platform Overview
                                              • TNSR
                                              • pfSense
                                              • Appliances

                                              Services

                                              • Training
                                              • Professional Services

                                              Support

                                              • Subscription Plans
                                              • Contact Support
                                              • Product Lifecycle
                                              • Documentation

                                              News

                                              • Media Coverage
                                              • Press
                                              • Events

                                              Resources

                                              • Blog
                                              • FAQ
                                              • Find a Partner
                                              • Resource Library
                                              • Security Information

                                              Company

                                              • About Us
                                              • Careers
                                              • Partners
                                              • Contact Us
                                              • Legal
                                              Our Mission

                                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                              Subscribe to our Newsletter

                                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                              © 2021 Rubicon Communications, LLC | Privacy Policy