Upgraded to 2.2 ipsec tunnels stop passing traffic



  • Upgraded to 2.2 last night.  Now  problems with tunnels.  The scenario is many 2.2 end points connecting to a 2.1.5 endpoint.  Cannot upgrade 2.1.5 due to multiple P2 entries.
    All tunnels use main mode md5 3des.  I am looking at several of the endpoints that the network manager shows down they show a common messaage  unable to query SAD entry with SPI cbe596e8: No such file or directory.

    I just noticed that the 2.2 upgrade sets prefer older ip sec sa under the advanced option.  Is it possible this is causing the problem?

    Looks like the ones that are dying had prefer older sa set when they were upgraded.  We are checking the list now to turn it off on any of them that were that way.  Will post an update after that.

    Based on the network monitor turning off the prefer older SA setting the advanced tab has solved the problem.  This setting used to be under the system/advanced/miscellaneous tab an is now under the VPN tab.  It looks like all the first batch we ever did had this flag set.  Until the remote endpoints got on 2.2 they system did not bark about it.



  • Similar setup here with 2.2 endpoint connecting to 2.1.5 with the same problem

    The flag is set on both 2.2 and 2.1.5… did you have a mismatch, or did you just disable it on the 2.2 side or both?



  • It was only turned on on the 2.2 sides of the tunnels so we turned it off on the 2.2 sides.



  • We are still experiencing the same problem between pfsense 2.2 and an astaro router.  Both sides show the tunnel as up but traffic will not pass through the tunnel.  So far the only solution has been  to  hit disconnect on the status page and then reconnect.



  • @lw9474:

    We are still experiencing the same problem between pfsense 2.2 and an astaro router.  Both sides show the tunnel as up but traffic will not pass through the tunnel.  So far the only solution has been  to  hit disconnect on the status page and then reconnect.

    Same Issue here, but between 2 PFboxes both on latest 2.2, both have to be reconnected. from the logs it shows as rekeying issue.  :'(



  • Hi,

    We are seeing exactly this problem when the tunnel tries to rekey.  We have multiple phase 2's child connections under the phase 1.  We have already got "Prefer older IPSEC SA's" unchecked in advanced options and this has not fixed the problem for us.

    It is causing us MAJOR issues as the only way we can get the tunnel to start passing traffic again is to manually issue and ipsec down conxxx command, then allow the tunnel to re-establish.

    We see a DPD packet sent from us to the peer and a DPD response packet come back - but the phase.2 tunnel is no longer passing traffic.

    This is causing us so much of a problem we are considering binning all our pfsense installations and purchasing commercials firewalls - I am beginning to wonder if we have made a mistake using pfsense.

    Regards,

    Mar Relf



  • None of our tunnels that are doing this have multiple phase 2.  8 of them are connecting to an Astaro on the other side.  5 of them are going to the pfsense 2.1.5 router.  Turning off the prefer older SA fixed the majority of the problem  We still have about 20% of the tunnels that are having issues  We have been going into the ipsec status page and using the disconnect and connect option.  That brings it back up.  But it is a pain.  It seems to be related to the rekeying process when the key lifetime expire.

    Hopefully someone will suggest a solution.  I do not think pfsense is mistake.  We have hit a bump in the road with this ipsec issue



  • Definitely a re keying issue with strongswan >:(

    suggest switch all links to Openvpn. I already have and with only the most critical ones being handled by a linksys soho router.

    rgds