SOLVED : site-to-site with multiple vlan issue



  • Hi,

    i tryed to find a similar issue on the forum but did not find one.

    i'm working with two pfsense box both 2.2.3

    one box have 5 vlan and the other one only a single LAN

    they are presently configured with a site to site ipsec VPN since a good time with 3 vlan (since 2.1.1 if i remember well) and never got an issue until i try to add a new vlan in the Phase 2 ruleset in 2.2.2 a few weeks ago

    i created the Phase 2 exactly as the other working ones but this link won't establish and i see the same exact error as the network mismatch one in the PfSense IPSEC troubleshoot guide https://doc.pfsense.org/index.php/IPsec_Troubleshooting

    the problem is that the 3 others are still working except this one and i've recreate it several time and recopy the same config

    here is a quick screenshot from both box

    Does somebody has this issue before ?

    EDIT : thes last VLAN (VLAN5SECURITE 10.5.0.0/16) is the one that's iving me trouble



  • Sorry, I can't really help with your issue.

    My VLANs do not share local or remote subnets.
    Each has a different IP range.
    Each VLAN interface has a unique IP address.
    The only thing that is shared is either a physical interface on pfSense or a physical port in an Ethernet switch.



  • Update to v2.2.3 and try again. v2.2.2 still had issues with multiple Ph2's



  • they are already 2.2.3 as per first post. it started in 2.2.2 when we needed to add this vlan to the ipsec phase 2 ruleset

    i was getting hope that 2.2.3 will fix this it was not the case :(



  • Double check Status>Interfaces on "box 1", I suspect it's not actually a /16 given the description.



  • sorry for delay (got some holydays  ;)  )

    /16 is correct. 3 of the 4 vlan are /16 and one is /24

    i've double check on both side to be sure and settings are OK



  • just for a positive update : it started working by itself wothout any intervention.

    i've lost a part of the log (maybe log rotate process …) but look like ipsec reset on 4th july and then the faulty vlan work now over ipsec

    very very weir but solved now  :D