2.2.2: IPSec Site-to-Site VPNs with more than 1 phase2 problems



  • Hello,
    we are an IT system service provider. We have pfSense as our main Firewall and VPN Gateway. Through IPsec Site-to-Site we are connected with all our customers. Customers who have different subnets are connected through multiple phase2 entries. Since 2.2.x each of this tunnels won't connect anymore, as soon as we try to establish a connection, for example a RDP request. We than have to got onto the pfSense shell and start the connection via a command for example "ipsec up con1000". I have to do this everyday. Customer sites are different firewalls, like pfsense 2.0.x, 2.1.x, Lancom, Cisco, etc.

    Is there any know configuration I can do in 2.2.x that prevents these VPNs to start when I need them? On 2.1.x this was not an issue.



  • Best guess is you're hitting the issue with duplicated reqids that's been fixed in 2.2.3 with the update to strongswan 5.3.2 and letting it manage its own reqids now that it works correctly there. The most recent 2.2.3 snapshot @ snapshots.pfsense.org is close to what release will be and well-tested at this point. Going ahead with the 2.2.3 upgrade would be my best suggestion to start.



  • So 2.2.3 is Final now. Lets see if it solves my problem. I will post again, after we did the update and tested a few days.



  • Mmm, I seem to have a similar problem on 2.2.5.  I have two datacenters. One has a 2.2.5 running, the other a 2.1.5.  Between them I need about 7 several phase2 connection which I can't grab in one subnet.  When I configured I made one, tested it, and copied the phase2 settings with only changing the subnets.

    The first like 3 phase-2 connections work fine, but when I try to ping the other end for the other subnets I get a "no matching CHILD_SA config found" in the log (on the 2.2.5 side, that's where the problem seems to be).  But "ipsec statusall" shows that it's configured.    When I manually start it with "ipsec up con1003" it works just fine.  Not sure though yet if it keeps working or that this workaround needs to be done like every day (or worse).  Restarting ipsec service doesn't help too.

    Anyone a clue what to do ?

    Thanks, Jos



  • I have the same problem between 2.2.6 and several 2.0.X boxes….



  • I wonder if upgrade to 2.2.6 of the second box will solve it…



  • We are currently on version 2.2.4-RELEASE (i386) and don't have the problem anymore.
    I can't really remember how we solved it. ;-(
    It might be either the version update, or we switched to IKEv2 ?
    On the other hand was a problem with the details in the ipsec.conf I think. I think we edited and saved every IPsec connection again, just to make sure it gets saved correctly with the new 2.2.x syntax.



  • With me is fresh install of 2.2.6 - so no upgrade…....
    IkeV2 is not an option as V2 is not suppported by  older 2.0.X boxes :( Good you do not have the problems...I guess we will have to upgrade too...Just wanted to avoid it if possible.