IP Sec Issues with multiple P2 tunnels (only the first comes up)



  • I have searched this form, and many others, and this topic has come up before but I can't seem to find a resolution that works for me. I am able to make it work in the short-term, but when the IPSec service restarts it overwrites what I have done and breaks the tunnels again.

    The problem seems to be in the /var/etc/ipsec.conf file and how it is generated by vpn.inc, unfortunately I'm not good with PHP and the code provided in the following link does not work for me.

    https://forum.pfsense.org/index.php?topic=85429.0

    If I edit /var/etc/ipsec.conf to use multiple conn entries and then restart ipsec from the command line all of my tunnels come up fine.  But, If I restart IP sec from the GUI or reboot the firewall the file is regenerated and I loose my changes.

    I'm not sure what changed in the code from 2.1 to 2.2+ but the ipsec.conf file as it is currently generated by vpn.conf does not work for IKEv2 with multiple P2 tunnels.

    Am I missing something obvious?



  • The thread you linked hasn't been relevant to any release version, don't follow any instructions from beta troubleshooting/development. The config that's generated in every release version is correct.

    Are you connecting to a Cisco ASA on the other side? That'd be a Cisco bug/lacking feature. We have a ticket open to implement a workaround at some point. https://redmine.pfsense.org/issues/4704



  • Sonicwall 4500 (SonicOS 5.8.1.5)

    Call it what you like, but if I can modify a FPS generated config file and get the desired result the bug/lacking feature is on the PFS GUI.

    This works; Having all tunnels under conn con1 does not.

    
    # This file is automatically generated. Do not edit
    config setup
    	uniqueids = yes
    	charondebug=""
    
    conn bypasslan
    	leftsubnet = 10.160.52.0/24
    	rightsubnet = 10.160.52.0/24
    	authby = never
    	type = passthrough
    	auto = route
    
    conn con2
    	also=con1
    	rightsubnet=10.12.0.0/16
    	auto=start
    
    conn con3
    	also=con1
    	rightsubnet=10.20.1.0/24
    	auto=start
    
    conn con1
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = yes
    	forceencaps = no
    	mobike = no
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = none
    	auto = route
    	left = <publicip>right = <publicip>leftid = <publicip>ikelifetime = 28800s
    	lifetime = 28800s
    	ike = 3des-sha1-modp1024!
    	esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024!
    	leftauth = psk
    	rightauth = psk
    	rightid = <publicip>rightsubnet = 172.17.0.0/16
    	leftsubnet = 10.160.52.0/24</publicip></publicip></publicip></publicip> 
    


  • Haven't heard of that with Sonicwall, but apparently they've broken/don't support multiple TS in same TS payload either. The config is 100% correct as generated for the proper IKEv2 usage. One of the benefits of IKEv2 is not needing multiple child SAs for such circumstances. At least for proper implementations of it.

    In /usr/local/www/vpn_ipsec_phase1.php, take out this chunk of input validation:

    	if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) {
    		$t = 0;
    		foreach ($a_phase1 as $ph1tmp) {
    			if ($p1index <> $t) {
    				$tremotegw = $pconfig['remotegw'];
    				if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) {
    					$input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']);
    				}
    			}
    			$t++;
    		}
    	}
    

    Then add two P1s with one P2 on each. That's really what you're configuring there by splitting it to two conn entries.

    That validation probably isn't really necessary, might just remove that to allow configs like this. Its intention is to prevent foot shooting, but there are potential circumstances like this where it works around issues with the remote end.