Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnel P2 not working when started automatically

    IPsec
    2
    2
    772
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      miken32
      last edited by

      So, upgraded to 2.2.2 and all seemed fine with our IKEv2/PSK tunnel to a Cisco ASA. No connection problems and the traffic drops we were experiencing with 2.2.1 at P2 reauth time were fixed.

      One week later, no configuration changes on either side, the tunnel just stops working. P1 comes up but P2 will not. The ASA says there are no matching policies, and the traffic selectors are bad. What does make it work is setting the P1 to responder only, and manually starting the tunnel from the status page.

      We had the same problem with 2.2 snapshots, and it just went away by itself. I had assumed that it was resolved by one of the fixes in a snapshot release, but the fact that it has come back, all by itself, may indicate otherwise.

      Here is a good traffic selector, from a manual start of the tunnel:

      
(304):  TSi(304):   Next payload: TSr, reserved: 0x0, length: 24
(304):     Num of TSs: 1, reserved 0x0, reserved 0x0
(304):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(304):     start port: 0, end port: 65535
(304):     start addr: 192.168.244.0, end addr: 192.168.244.255
(304):  TSr(304):   Next payload: NOTIFY, reserved: 0x0, length: 24
(304):     Num of TSs: 1, reserved 0x0, reserved 0x0
(304):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(304):     start port: 0, end port: 65535
(304):     start addr: 192.168.242.0, end addr: 192.168.242.255

      And here's the bad one, initiated automatically by a ping to a remote IP. Note the (sanitized) WAN IP addresses are included.

      
(305):  TSi(305):   Next payload: TSr, reserved: 0x0, length: 40
(305):     Num of TSs: 2, reserved 0x0, reserved 0x0
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 111.111.111.111, end addr: 111.111.111.111
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 192.168.244.0, end addr: 192.168.244.255
(305):  TSr(305):   Next payload: NOTIFY, reserved: 0x0, length: 40
(305):     Num of TSs: 2, reserved 0x0, reserved 0x0
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 222.222.222.222, end addr: 222.222.222.222
(305):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(305):     start port: 0, end port: 65535
(305):     start addr: 192.168.242.0, end addr: 192.168.242.255
      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Hm, shouldn't be related with IKEv2, but do you have the Unity plugin enabled? https://redmine.pfsense.org/issues/4178 Only thing I can think of with a Cisco that would end up changing the selectors, though that symptom is completely different.

        What does your /var/etc/ipsec/ipsec.conf contain, and "ipsec statusall" show?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.