IPSEC between 2 units PFsense 2.2 with multiple P2
-
Hi,
We have multiple P2 on our IPSEC tunnel,
After upgrade to PFsense 2.2, i have noticed that only the 1st entry of the P2 connects and the rest will not connect.
logs shows following looping entry
Jan 30 10:29:02 charon: 16[NET] received packet: from x.x.x.x[4500] to y.y.y.y.[4500] (76 bytes)
Jan 30 10:28:52 charon: 16[NET] sending packet: from y.y.y.y[4500] to x.x.x.x[4500] (76 bytes)
Jan 30 10:28:52 charon: 16[ENC] generating INFORMATIONAL response 31 [ ]
Jan 30 10:28:52 charon: 16[ENC] parsed INFORMATIONAL request 31 [ ]It just keeps looping and looping, increasing in number of requests.
Also resources on the 1st P2 which is CONNECTED CANNOT Ping/reach each other.
Unfortunately this is a production environment and i am stuck between a rock and hard place.. roll back will create significant disruption.
So all assistance is very much appreciated.
thanks.
-
Switch to IKEv2 on both sides, leave everything else as is. Then to make really sure you have everything from before cleared out, go to Status>Services, stop the strongswan service, then start it.
-
CMB thanks for your reply,
both are on IKE v2 at the moment. have stopped and started the Strongswan service but no go, even shutdown and restarted the units still no change.
thanks
-
There will only be one child SA with IKEv2. Effectively if one is up, they're all up. What are you seeing that makes you think some aren't?
The logs you're showing aren't any kind of looping or anything, that looks normal depending on your logging level.
-
OK so i have set the IKE version to 1, and am using main mode for negotiation,
the encryption on both P1 and P2s are AES256. SHA1 with NAT to Auto.
still seeing only 1st entry P2 up rest are still disconnected.
is there a more detailed type of logging that i can enable which will help trouble shoot this?
thanks
-
You should stay on IKEv2, that's probably the only way this will work reliably. What were you seeing when you were using IKEv2 that made you think only 1 of 4 was up?
-
I had been on IKEv2, the tunnel establised and all good, however no traffic. <> on either side.
so decided to go back to IKE1 and realized that only first entry was working, but still no <> traffic on either side.
I will give this another try and post here. if no success i will be rolling back to 2.1.5
-
Go back to IKEv2 on both sides. Then stop and start strongswan on both sides to make sure it definitely clears out the old IKEv1. That should do it. If you still can't pass traffic, post back what your IPsec status screen looks like. If it doesn't work, PM me if we can arrange remote access or Gotomeeting to check it out.
-
@cmb:
Go back to IKEv2 on both sides. Then stop and start strongswan on both sides to make sure it definitely clears out the old IKEv1. That should do it. If you still can't pass traffic, post back what your IPsec status screen looks like. If it doesn't work, PM me if we can arrange remote access or Gotomeeting to check it out.
Thanks for your reply,
I have finally managed to make it work but unfortunately i have still had to revert back to 2.1.5,
basically for IPSEC between 2.2, i had to create the tunnels all over again and disable cisco unity puglin, Also the tunnels only manged to start up for me in IKE V1,
- the reason i reverted back to 2.1.5 is because after disabling Cisco unity plugin, all my tunnels to our HO's Hub wouldn't start up. (they still use Cisco units)
unfortunately i didn't have enough time to fiddle with this more as i already had appx 8 hours downtime and cannot push this anymore.
thanks for your help again. i will definitely update to 2.2 once these outstanding issues have been address.