Deleting Duplicate IKE_SA on pfSense 2.2

dharrigan

Hello,

I have mobile users each having, say two devices. Each is trying to use an ipsec tunnel into a corporate network running pfsense 2.2.

I don't know where the clients may be or what networks they may be on.

What I'm finding is that one device of the user connects into the VPN successfully and a tunnel is established. However, if the other device of the user attempts to connect, it fails and even sometimes kicks the first device off.

It appears that I'm getting this "deleting duplicate IKE_SA for peer 'XXXX' due to uniqueness policy"

In pfSense 2.1 there was a way to set the uniqueness, but it doesn't seem to be exposed on pfSense 2.2. I see that in the ipsec.conf file, "uniqueids" is set to yes.

It's important for me that my mobile users, with multiple devices, can all connect to our corporate network. Is there a way around this, that doesn't seem to involve creating multiple user accounts for each device that the user may have?

Thank you very much :-)

-=david=-

eri--

So your users have multiple devices behind NAT and they cannot resuse their user on another device cause it will disconnect them?

Can you try changing /var/etc/ipsec/ipsec.conf uniqeids = no and report if that fixes it?

dharrigan

Hello!

Hi, thanks for the reply. I'll give it a shot and see how it goes :-)

-=david=-

dharrigan

Hi,

My quick experimentation seems to show it working. I have in "config setup" the value "uniqueips = no" and was able to connect 3 devices behind my firewall (natted) directly into the corporate network successfully.

If I modify the ipsec.conf file directly (using vi), it gets overwritten by the web UI if/when I restart it via that means (or make any conf changes via the UI).

Perhaps, if tested a bit further and shown to work, could this "uniqueips" and its valid values be exposed as a dropdown on the UI please?

Thanks.

-=david=-

eri--

The option will be on 2.2.1 RELEASE.
For now you can apply the patch manually https://github.com/pfsense/pfsense/commit/908edbd3d17a6fac747b6583322be9e547026f7f

dharrigan

Hi!

w00t! Thanks! Much appreciated :-)

-=david=-

dharrigan

Hi,

pfSense 2.2.1

I've been looking to test out this patch that was applied then came out with pfSense 2.2.1 - but it doesn't appear to set the value! :-(

VPN…IPsec...advanced settings...Configure Unique IDs as.

If I set as "no" and click apply, the value in /var/etc/ipsec/ipsec.conf remains as "uniqueips = yes".

Indeed, if I refresh the page, the NO changes to YES.

Am I doing something incorrect?

-=david=-

neurobashing

Same here!!

dharrigan

Hi,

This does appear to be a bug - how do I raise a bug report on this? (Redmine?)

-=david=-