Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Ipsec can't stop / won't stop, and many SAs won't connect

    IPsec
    1
    1
    485
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZPrime last edited by

      Running 2.2.4 since I know there have been bugs in prior releases.

      I have a single IKEv1 tunnel with 15 phase 2 entries.  Hardware is a Soekris Net6501 (Intel em NICs).  Remote side is a Palo Alto PA-2020.

      I'm trying to troubleshoot why some of the ph2 entries are not coming up when they are called for.  Logging on the PA is its own challenge, so I was going to start with the pfSense box.  Cranked up several of the log options, told ipsec to restart, claims that it was restarted, see some new log entries, fine.

      On a whim, tweak some more debug logging higher, and decide to fully stop ipsec.  Services page says "ipsec service stopped," but the little status icon still shows a green arrow and says "running."  I can click the stop button there until my finger falls off, and ipsec still seems to be running.  Is this just a display bug, or does strongswan still have pieces running?

      I didn't have problems with all 15 phase2 SAs coming up in older releases, so something has obviously broken under the hood.  Would be happy to provide debug logs if I knew what services to crank up logging for, and how to get ipsec to correctly restart and thus recognize the new loglevels.  ;)

      [edit]
      And a reboot gets things working again, FWIW.  Now the ph2 SAs that weren't connecting 5 minutes ago are connecting / establishing.  Something is wrong here.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post