Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.2: IPSec Site-to-Site VPNs with more than 1 phase2 problems

    Scheduled Pinned Locked Moved IPsec
    8 Posts 4 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Starko
      last edited by

      Hello,
      we are an IT system service provider. We have pfSense as our main Firewall and VPN Gateway. Through IPsec Site-to-Site we are connected with all our customers. Customers who have different subnets are connected through multiple phase2 entries. Since 2.2.x each of this tunnels won't connect anymore, as soon as we try to establish a connection, for example a RDP request. We than have to got onto the pfSense shell and start the connection via a command for example "ipsec up con1000". I have to do this everyday. Customer sites are different firewalls, like pfsense 2.0.x, 2.1.x, Lancom, Cisco, etc.

      Is there any know configuration I can do in 2.2.x that prevents these VPNs to start when I need them? On 2.1.x this was not an issue.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Best guess is you're hitting the issue with duplicated reqids that's been fixed in 2.2.3 with the update to strongswan 5.3.2 and letting it manage its own reqids now that it works correctly there. The most recent 2.2.3 snapshot @ snapshots.pfsense.org is close to what release will be and well-tested at this point. Going ahead with the 2.2.3 upgrade would be my best suggestion to start.

        1 Reply Last reply Reply Quote 0
        • S
          Starko
          last edited by

          So 2.2.3 is Final now. Lets see if it solves my problem. I will post again, after we did the update and tested a few days.

          1 Reply Last reply Reply Quote 0
          • J
            jandel
            last edited by

            Mmm, I seem to have a similar problem on 2.2.5.  I have two datacenters. One has a 2.2.5 running, the other a 2.1.5.  Between them I need about 7 several phase2 connection which I can't grab in one subnet.  When I configured I made one, tested it, and copied the phase2 settings with only changing the subnets.

            The first like 3 phase-2 connections work fine, but when I try to ping the other end for the other subnets I get a "no matching CHILD_SA config found" in the log (on the 2.2.5 side, that's where the problem seems to be).  But "ipsec statusall" shows that it's configured.    When I manually start it with "ipsec up con1003" it works just fine.  Not sure though yet if it keeps working or that this workaround needs to be done like every day (or worse).  Restarting ipsec service doesn't help too.

            Anyone a clue what to do ?

            Thanks, Jos

            1 Reply Last reply Reply Quote 0
            • P
              petermp
              last edited by

              I have the same problem between 2.2.6 and several 2.0.X boxes….

              1 Reply Last reply Reply Quote 0
              • P
                petermp
                last edited by

                I wonder if upgrade to 2.2.6 of the second box will solve it…

                1 Reply Last reply Reply Quote 0
                • S
                  Starko
                  last edited by

                  We are currently on version 2.2.4-RELEASE (i386) and don't have the problem anymore.
                  I can't really remember how we solved it. ;-(
                  It might be either the version update, or we switched to IKEv2 ?
                  On the other hand was a problem with the details in the ipsec.conf I think. I think we edited and saved every IPsec connection again, just to make sure it gets saved correctly with the new 2.2.x syntax.

                  1 Reply Last reply Reply Quote 0
                  • P
                    petermp
                    last edited by

                    With me is fresh install of 2.2.6 - so no upgrade…....
                    IkeV2 is not an option as V2 is not suppported by  older 2.0.X boxes :( Good you do not have the problems...I guess we will have to upgrade too...Just wanted to avoid it if possible.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.