PfSense 2.2 IPSEC to 2.1.5 failing

  • Has anyone been able to get a VPN connection between 2.2-RELEASE and 2.1.5 to work?  In our lab we have been waiting on 2.2 for a fix to a bug in pfSense under 2.1.5 that would affect a new dual-router dual-WAN installation at one of our locations, and it needs to connect back to a single-router 2.1.5 location.  The problem still existed on 2.2-RC with a build from a few weeks ago, but I was at least able to establish the VPN connection as usual.  I upgraded 1 of the 2 routers in the dual-router CARP configuration to 2.2-RELEASE, and I am never able to get a connection established at all.  If I cause it to fail over to the secondary router (still running 2.2-RC), a connection gets established fine.  I'm specifying IKEv1, I've double-checked all of the settings, but I still can't get a connection to establish successfully.  Is it a lost cause until an update is released?

  • Looks like NO!

    I have not been able to establish working site-to-site ipsec vpn between 2.1.5 and 2.2. I can see that tunnel is up, but no traffic is routed to tunnel!


  • mh, at least I am not the only one having problems with the new IPSec engine…

    I don't know what is wrong, but I vote to roll back to racoon! :S

  • At least you are able to establish a tunnel, even if not a functional one.  I can't even do that!  What settings are you using for phase 1?

  • @Clouseau:


    It's not significantly broken. Internally, we use IPsec on 2.2 in production for nearly all VPNs (have for months) and have 0 issues since RC. There is only one confirmed known issue, which was pointed out prominently in the release notes.

    There probably are some limited other edge cases. Screaming untrue FUD doesn't help.

    Got an issue? Start a new thread and describe what you're seeing. If you can get me access to the systems in question, or at least one end, PM me and I'll check it out.

  • @Thale:

    Is it a lost cause until an update is released?

    Are you using multiple P2s on a single P1? If so, then yes unless you use IKEv2, which isn't supported on the 2.1.5 side. Otherwise no, IPsec in 2.2 works fine outside that circumstance. A single P2 with IKEv1 or however many you want with IKEv2 will work fine.

    If you're not within that "lost cause" circumstance, PM me and we can arrange me taking a look at it.

  • I'll PM as requested, but wanted to list my scenario for the benefit of others in case it displays a trend.  This is our test setup - once we can get the test scenario working as we need to, then we can move "Remote Site" to one of our remote sites that currently has only a single router.  "Central Site" below is based exactly on our current configuration at our central location (with 1 exception), also with a single router (which is the next site to be updated to 2 after the one we're working on).  Other issues preceding 2.2 have delayed this implementation - we were hoping 2.2 would fix those issues, but haven't yet been able to get far enough to test that on the release build.

    Remote Site:
    2 routers, we'll call them A and B, in a dual-WAN CARP configuration with VIPs for LAN, WAN1, and WAN2.  Both WANS are set as a gateway group, NAT is enabled.  IPSEC is configured as IKEv1, aggressive (I saw the note about using main, and tried that, but we had more errors there than we have since switching to aggressive), with a single Phase 2.  While we will ultimately need 2 phase 2 entries, we're testing with 1 at the moment to try and get that working reliably.  Router A is the primary router running pfsense 2.2-RELEASE.  Router B, the backup router, was not upgraded from the testing we were doing on 2.2-RC build 12/9/2014.  Because of the version difference the configuration sync isn't working, but we're ok with that at the moment - once Router A is working well, we'll upgrade Router B as well.

    Central Site:
    1 router, running pfSense 2.1.5.  The single configuration exception from our production environment that's mentioned above is that we have a single WAN interface in testing, and in production we have dual-WANs configured.  In production the IPSEC tunnels to the "Remote Site" and other sites have been around for awhile and are working great.  We use a distinguished name on this particular IPSEC connection, rather than IP address.

    When testing with 2.2-RC from 12/9/2014, the connection worked fine but the specific bug we were experiencing on 2.1.5 wasn't fixed.  I know a lot of work was done on IPSEC toward the end of the RC testing, and was/am hoping that that bug is fixed in the release version.  However, I haven't been able to test that since I can't get the initial IPSEC connection to establish with the 2.2-release version.

  • i have the same problem…

    one pfsense with 2.1.5 and one pfsense with 2.2.0 with multiple P2s on a single P1. VPN up but no traffic.

    I have the problem since I upgraded the pfsense to 2.2.0. (old fw : 2.1.5)

    any solution ? i have no full backup...
    upgrade my other pfsense 2.1.5 to 2.2.0 or downgrade my pfsense 2.2.0 to 2.1.5 ?

    edit :
    traffic pass in one tunnel p2s not at a time. like :

  • You should create a new topic for this.
    Also, have you checked that you are using MAIN mode, and not AGGRESSIVE, as per release-notes?

  • new topic for same problem ? :o

    yes main mode on both.

    I redo a config vpn to test.