Ipsec can't stop / won't stop, and many SAs won't connect



  • Running 2.2.4 since I know there have been bugs in prior releases.

    I have a single IKEv1 tunnel with 15 phase 2 entries.  Hardware is a Soekris Net6501 (Intel em NICs).  Remote side is a Palo Alto PA-2020.

    I'm trying to troubleshoot why some of the ph2 entries are not coming up when they are called for.  Logging on the PA is its own challenge, so I was going to start with the pfSense box.  Cranked up several of the log options, told ipsec to restart, claims that it was restarted, see some new log entries, fine.

    On a whim, tweak some more debug logging higher, and decide to fully stop ipsec.  Services page says "ipsec service stopped," but the little status icon still shows a green arrow and says "running."  I can click the stop button there until my finger falls off, and ipsec still seems to be running.  Is this just a display bug, or does strongswan still have pieces running?

    I didn't have problems with all 15 phase2 SAs coming up in older releases, so something has obviously broken under the hood.  Would be happy to provide debug logs if I knew what services to crank up logging for, and how to get ipsec to correctly restart and thus recognize the new loglevels.  ;)

    [edit]
    And a reboot gets things working again, FWIW.  Now the ph2 SAs that weren't connecting 5 minutes ago are connecting / establishing.  Something is wrong here.