Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgraded to 2.2 ipsec tunnels stop passing traffic

    Scheduled Pinned Locked Moved IPsec
    8 Posts 4 Posters 2.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lw9474
      last edited by

      Upgraded to 2.2 last night.  Now  problems with tunnels.  The scenario is many 2.2 end points connecting to a 2.1.5 endpoint.  Cannot upgrade 2.1.5 due to multiple P2 entries.
      All tunnels use main mode md5 3des.  I am looking at several of the endpoints that the network manager shows down they show a common messaage  unable to query SAD entry with SPI cbe596e8: No such file or directory.

      I just noticed that the 2.2 upgrade sets prefer older ip sec sa under the advanced option.  Is it possible this is causing the problem?

      Looks like the ones that are dying had prefer older sa set when they were upgraded.  We are checking the list now to turn it off on any of them that were that way.  Will post an update after that.

      Based on the network monitor turning off the prefer older SA setting the advanced tab has solved the problem.  This setting used to be under the system/advanced/miscellaneous tab an is now under the VPN tab.  It looks like all the first batch we ever did had this flag set.  Until the remote endpoints got on 2.2 they system did not bark about it.

      1 Reply Last reply Reply Quote 0
      • T
        tlachau
        last edited by

        Similar setup here with 2.2 endpoint connecting to 2.1.5 with the same problem

        The flag is set on both 2.2 and 2.1.5… did you have a mismatch, or did you just disable it on the 2.2 side or both?

        1 Reply Last reply Reply Quote 0
        • L
          lw9474
          last edited by

          It was only turned on on the 2.2 sides of the tunnels so we turned it off on the 2.2 sides.

          1 Reply Last reply Reply Quote 0
          • L
            lw9474
            last edited by

            We are still experiencing the same problem between pfsense 2.2 and an astaro router.  Both sides show the tunnel as up but traffic will not pass through the tunnel.  So far the only solution has been  to  hit disconnect on the status page and then reconnect.

            1 Reply Last reply Reply Quote 0
            • A
              abidkhanhk
              last edited by

              @lw9474:

              We are still experiencing the same problem between pfsense 2.2 and an astaro router.  Both sides show the tunnel as up but traffic will not pass through the tunnel.  So far the only solution has been  to  hit disconnect on the status page and then reconnect.

              Same Issue here, but between 2 PFboxes both on latest 2.2, both have to be reconnected. from the logs it shows as rekeying issue.  :'(

              1 Reply Last reply Reply Quote 0
              • R
                relfie
                last edited by

                Hi,

                We are seeing exactly this problem when the tunnel tries to rekey.  We have multiple phase 2's child connections under the phase 1.  We have already got "Prefer older IPSEC SA's" unchecked in advanced options and this has not fixed the problem for us.

                It is causing us MAJOR issues as the only way we can get the tunnel to start passing traffic again is to manually issue and ipsec down conxxx command, then allow the tunnel to re-establish.

                We see a DPD packet sent from us to the peer and a DPD response packet come back - but the phase.2 tunnel is no longer passing traffic.

                This is causing us so much of a problem we are considering binning all our pfsense installations and purchasing commercials firewalls - I am beginning to wonder if we have made a mistake using pfsense.

                Regards,

                Mar Relf

                1 Reply Last reply Reply Quote 0
                • L
                  lw9474
                  last edited by

                  None of our tunnels that are doing this have multiple phase 2.  8 of them are connecting to an Astaro on the other side.  5 of them are going to the pfsense 2.1.5 router.  Turning off the prefer older SA fixed the majority of the problem  We still have about 20% of the tunnels that are having issues  We have been going into the ipsec status page and using the disconnect and connect option.  That brings it back up.  But it is a pain.  It seems to be related to the rekeying process when the key lifetime expire.

                  Hopefully someone will suggest a solution.  I do not think pfsense is mistake.  We have hit a bump in the road with this ipsec issue

                  1 Reply Last reply Reply Quote 0
                  • A
                    abidkhanhk
                    last edited by

                    Definitely a re keying issue with strongswan >:(

                    suggest switch all links to Openvpn. I already have and with only the most critical ones being handled by a linksys soho router.

                    rgds

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.