Cannot get multiple phase 2 to work on site-to-site (pfsense 2.2)



  • Near end: pfsense 2.2
    Far end: 3rd-party gateway running strongswan 4.5.2
    IKEv2/preshare

    No problem getting phase 1 to work. Also, no real problems getting one phase 2 to come up.

    However, if I try to add a second phase 2, the two will not work simultaneously: only one will come up. If I have the remote gateway initiate the connection, both phase 2s come up, but neither networks I have defined locally can connect to the remote network. If I have the remote gateway act passively and have pfsense initiate the connection, then only one of the two phase 2's will connect, but traffic will pass as expected. Very frustrating.

    Are they any known issues with multiple phase 2's on 2.2? Am I missing something?

    (LOCAL)
    phase 2 a: 192.168.10.0/24
    phase 2 b: 10.0.8.0/24 (openvpn tunnel)

    (REMOTE)
    phase 2 a: 172.16.1.0/24

    Any ideas?



    ![phase 2 a.png](/public/imported_attachments/1/phase 2 a.png)
    ![phase 2 b.png](/public/imported_attachments/1/phase 2 b.png)


    ![phase 2 a.png_thumb](/public/imported_attachments/1/phase 2 a.png_thumb)
    ![phase 2 b.png_thumb](/public/imported_attachments/1/phase 2 b.png_thumb)
    logs.txt
    remote_logs.txt



  • bumpp



  • @Strider3000:

    Are they any known issues with multiple phase 2's on 2.2? Am I missing something?

    There is a possible issue with IKE1 on pfSense 2.2 with multiple phase 2 but none that I am aware of for IKE2.  Funnily enough I have a pfSense 2.2 and 2.1.5 box with 2 x P2s over the same P1 and it has been stably operational for 11 days now.

    The fact that you have an OVPN tunnel being tunneled is immaterial, you should be able to create a P2 for literally any network pair - the router shouldn't care whether one end even exists locally.

    Now the tunnel is failing to start properly at P2, so have a look at the IPSEC logs at both ends.  Certainly on pfSense 2.2, the logs are a lot more useful (compared to 2.1) and quite often tell you what is wrong.

    If you are going config blind, then I suggest writing down the various components in a side by side comparison and stare at them until you lose the will to live and then get someone else to look at them.  Do not trust to memory - use copy/paste.  Look for silly things like mismatches in masks, algos DH groups etc. something will be wrong somewhere.  If you can find it, scrape the config from your pfSense directly from the Strongswan config file to compare to the other end.

    Cheers
    Jon

    [Edited to make more sense: IKE2<->IKE1 is nonsense!)



  • It really depends on how the other side is configured.
    On IKEv2 you should not see any such problem at all.



  • I have had similar problem(s) but I've found a workaround.

    My configuration:

    Branch offices: pfSense v.2.2-RELEASE.
    Headquarter: FortiOS v.4.0 MR3 patch 7, behind a NAT device (pfSense v2.2-RELEASE).
    Each branch office is connected to HQ via multiple IPsec (phase 2) SA's.

    My problems:

    1: charon fails to initiate IKE (v2) connection to FortiOS. It can only work as responder.

    2: charon fails to rekey IKE (phase 1) SA.

    Workaround: Configure very long lifetime for both Phase 1 and 2 at pfSense device. Namely:

    Pfsense 2.2 phase 1 90000s, phase 2 90000s.

    FortiOS 4.0 phase 1 9000s, phase 2 3000s.



  • I have had the same issue since upgrading to 2.2. Multiple phase 2 entries will not stay up at the same time. If I logout the session, at either end, it will only ever bring up the one. Which one depends on which I am sending traffic to at the time.

    I have attempted this from multiple Cisco IOS versions (9.2(2)4, 8.2(5), etc) with the same results. If I go Cisco to Cisco using the same settings/location/IP address, no issues.

    Is there an easy way to roll back the update?



  • I found my fix in another thread, bug found my tpetrov.

    You cannot press the + to add a copy of the first P2 and modify it. You must create a new P2 from scratch.

    I removed my P1 and both P2's, restarted services and rebuilt the tunnel, both came up successfully.

    Hopefully this helps others, and many thanks to tpetrov.



  • @fyfebc:

    I found my fix in another thread, bug found my tpetrov.

    You cannot press the + to add a copy of the first P2 and modify it. You must create a new P2 from scratch.

    This was fixed some time ago, it's fine to do that in 2.2.1 and newer.


Log in to reply