IP Sec Issues with multiple P2 tunnels (only the first comes up)
-
I have searched this form, and many others, and this topic has come up before but I can't seem to find a resolution that works for me. I am able to make it work in the short-term, but when the IPSec service restarts it overwrites what I have done and breaks the tunnels again.
The problem seems to be in the /var/etc/ipsec.conf file and how it is generated by vpn.inc, unfortunately I'm not good with PHP and the code provided in the following link does not work for me.
https://forum.pfsense.org/index.php?topic=85429.0
If I edit /var/etc/ipsec.conf to use multiple conn entries and then restart ipsec from the command line all of my tunnels come up fine. But, If I restart IP sec from the GUI or reboot the firewall the file is regenerated and I loose my changes.
I'm not sure what changed in the code from 2.1 to 2.2+ but the ipsec.conf file as it is currently generated by vpn.conf does not work for IKEv2 with multiple P2 tunnels.
Am I missing something obvious?
-
The thread you linked hasn't been relevant to any release version, don't follow any instructions from beta troubleshooting/development. The config that's generated in every release version is correct.
Are you connecting to a Cisco ASA on the other side? That'd be a Cisco bug/lacking feature. We have a ticket open to implement a workaround at some point. https://redmine.pfsense.org/issues/4704
-
Sonicwall 4500 (SonicOS 5.8.1.5)
Call it what you like, but if I can modify a FPS generated config file and get the desired result the bug/lacking feature is on the PFS GUI.
This works; Having all tunnels under conn con1 does not.
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="" conn bypasslan leftsubnet = 10.160.52.0/24 rightsubnet = 10.160.52.0/24 authby = never type = passthrough auto = route conn con2 also=con1 rightsubnet=10.12.0.0/16 auto=start conn con3 also=con1 rightsubnet=10.20.1.0/24 auto=start conn con1 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = no rekey = yes installpolicy = yes type = tunnel dpdaction = none auto = route left = <publicip>right = <publicip>leftid = <publicip>ikelifetime = 28800s lifetime = 28800s ike = 3des-sha1-modp1024! esp = 3des-sha1-modp1024,3des-sha1-modp1024,3des-sha1-modp1024! leftauth = psk rightauth = psk rightid = <publicip>rightsubnet = 172.17.0.0/16 leftsubnet = 10.160.52.0/24</publicip></publicip></publicip></publicip>
-
Haven't heard of that with Sonicwall, but apparently they've broken/don't support multiple TS in same TS payload either. The config is 100% correct as generated for the proper IKEv2 usage. One of the benefits of IKEv2 is not needing multiple child SAs for such circumstances. At least for proper implementations of it.
In /usr/local/www/vpn_ipsec_phase1.php, take out this chunk of input validation:
if (($pconfig['remotegw'] && is_ipaddr($pconfig['remotegw']) && !isset($pconfig['disabled']) )) { $t = 0; foreach ($a_phase1 as $ph1tmp) { if ($p1index <> $t) { $tremotegw = $pconfig['remotegw']; if (($ph1tmp['remote-gateway'] == $tremotegw) && !isset($ph1tmp['disabled'])) { $input_errors[] = sprintf(gettext('The remote gateway "%1$s" is already used by phase1 "%2$s".'), $tremotegw, $ph1tmp['descr']); } } $t++; } }
Then add two P1s with one P2 on each. That's really what you're configuring there by splitting it to two conn entries.
That validation probably isn't really necessary, might just remove that to allow configs like this. Its intention is to prevent foot shooting, but there are potential circumstances like this where it works around issues with the remote end.