IPSec not working after upgrade to 2.2.1 from 2.1.X

  • Hello Everyone,

    I've done some searching and have seen people having similar problems but no real cure.  After upgrading to 2.2.1 IPSec seems to be completely non functional for us.

    Things I've tried:

    • re-created the configs
    • rebooted
    • tired different clients including but not limited to OSX, MikroTik Router and a Windows client that I do not know the name of (co-worker tried this one)

    Things I've noticed:

    • Can't set Phase to Aggressive.  It always defaults back to main after I save, exit and return to the edit
    • The page that shows the phase 1 summary shows a blank box for mode.

    Here is the screenshots of my config as pfsense reports back. I've removed the PSK and Group Name for obvious reason :)


    Local Network is

    We are able to connect, we get a IP but traffic does not seem to go anywhere.
    I can not ping the assigned IP locally

    I've re-enabled PDP (didnt realize I had left it off) also under the IPSec Firewall Rules I have IPV4 * * * *…..

    If there is any other details i can share please let me know

    I really do appreciate any help

  • IPSEC & LAN rules?
    If connecting works and you get an IP but you can't reach a thing mostly it are the rules which aren't configured well!

  • IPSec has a rule of ipv4 * * * * * allow
    WAN has no rules specific to it
    Various vlans (for testing purposes) have ipv4 * * * * * (or how ever many * it is)

    Does no one else think it odd that the summary page has a empty box for the mod. IE it does not list main or aggressive?

    Would love any sort of feed back on this as its starting to get fustrating

  • Your mode is set to "auto" rather than IKEv1 or IKEv2 in the screenshot. Another screenshot seems to show it's set to IKEv2.


    Does no one else think it odd that the summary page has a empty box for the mod. IE it does not list main or aggressive?

    That's what happens when you have IKEv2 selected, as mode isn't relevant there.

    I'm guessing you want it to be on IKEv1 given it's for a setup that worked in 2.1.x and that was the only option there. Set IKEv1 in your P1 and try again.

  • Thank you that did not seem to fix the underling issue. We are able to connect but are unable to pass traffic back or forth.  When the connection is established I am unable to ping the assigned ip locally.

    Honestly this is not my cup of tea I would be more then happy with a set of troubleshooting steps that may help get us and running again.

    Thank you in advance.

  • The other main difference there between 2.1x and 2.2x is the "local network" field in the P2 entry is actually enforced. If you need to send all traffic over the VPN, make sure that's set to Otherwise should be set to the specific local network you want the clients to reach.

  • If you're sure the tunnel gets build in the right manner then only the rules pls!

    Can u post a detail from you p1 en p2!
    Don't forget to blank out passwords/keys etc!

    Also your rules from f1 and f2 pls?
    Or replace your internal addresses if you don't wanna show these! (or pm me? I'm in GMT+2)

Log in to reply