Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Deleting Duplicate IKE_SA on pfSense 2.2

    Scheduled Pinned Locked Moved IPsec
    9 Posts 3 Posters 5.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dharrigan
      last edited by

      Hello,

      I have mobile users each having, say two devices. Each is trying to use an ipsec tunnel into a corporate network running pfsense 2.2.

      I don't know where the clients may be or what networks they may be on.

      What I'm finding is that one device of the user connects into the VPN successfully and a tunnel is established. However, if the other device of the user attempts to connect, it fails and even sometimes kicks the first device off.

      It appears that I'm getting this "deleting duplicate IKE_SA for peer 'XXXX' due to uniqueness policy"

      In pfSense 2.1 there was a way to set the uniqueness, but it doesn't seem to be exposed on pfSense 2.2. I see that in the ipsec.conf file, "uniqueids" is set to yes.

      It's important for me that my mobile users, with multiple devices, can all connect to our corporate network. Is there a way around this, that doesn't seem to involve creating multiple user accounts for each device that the user may have?

      Thank you very much :-)

      -=david=-

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        So your users have multiple devices behind NAT and they cannot resuse their user on another device cause it will disconnect them?

        Can you try changing /var/etc/ipsec/ipsec.conf uniqeids = no and report if that fixes it?

        1 Reply Last reply Reply Quote 0
        • D
          dharrigan
          last edited by

          Hello!

          Hi, thanks for the reply. I'll give it a shot and see how it goes :-)

          -=david=-

          1 Reply Last reply Reply Quote 0
          • D
            dharrigan
            last edited by

            Hi,

            My quick experimentation seems to show it working. I have in "config setup" the value "uniqueips = no" and was able to connect 3 devices behind my firewall (natted) directly into the corporate network successfully.

            If I modify the ipsec.conf file directly (using vi), it gets overwritten by the web UI if/when I restart it via that means (or make any conf changes via the UI).

            Perhaps, if tested a bit further and shown to work, could this "uniqueips" and its valid values be exposed as a dropdown on the UI please?

            Thanks.

            -=david=-

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              The option will be on 2.2.1 RELEASE.
              For now you can apply the patch manually https://github.com/pfsense/pfsense/commit/908edbd3d17a6fac747b6583322be9e547026f7f

              1 Reply Last reply Reply Quote 0
              • D
                dharrigan
                last edited by

                Hi!

                w00t! Thanks! Much appreciated :-)

                -=david=-

                1 Reply Last reply Reply Quote 0
                • D
                  dharrigan
                  last edited by

                  Hi,

                  pfSense 2.2.1

                  I've been looking to test out this patch that was applied then came out with pfSense 2.2.1 - but it doesn't appear to set the value! :-(

                  VPN…IPsec...advanced settings...Configure Unique IDs as.

                  If I set as "no" and click apply, the value in /var/etc/ipsec/ipsec.conf remains as "uniqueips = yes".

                  Indeed, if I refresh the page, the NO changes to YES.

                  Am I doing something incorrect?

                  -=david=-

                  1 Reply Last reply Reply Quote 0
                  • neurobashingN
                    neurobashing
                    last edited by

                    Same here!!

                    1 Reply Last reply Reply Quote 0
                    • D
                      dharrigan
                      last edited by

                      Hi,

                      This does appear to be a bug - how do I raise a bug report on this? (Redmine?)

                      -=david=-

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.