Can I upgrade from 2.1 to 2.2 without breaking IPSec tunnels?

  • Hello,

    I have version 2.1.5 running on a Dell R200, and I'd like to upgrade to the latest 2.2.

    I'm a little nervous about upgrading because I know the IPSec functionality was completely redone in 2.2, and I'm running about 100 IPSec tunnels.

    Is my wariness misplaced, or is it better to load 2.2 from scratch and import the config?  I do have a CARP slave.

  • The only way you're going to know for sure is to back up your configuration and upgrade. Make sure you have pfSense 2.1.5 install media to hand, so you can downgrade to 2.1.5 and restore your configuration backup if your tunnels fail.

    As you say, the IPsec code in 2.2.x is very different to 2.1.x, so there is no way of knowing how this will interact with your environment.

    pfSense 2.1.x is a total dead end now - it's not even receiving security fixes. It is based on FreeBSD 8.3, which has been End of Life for some time. The EoL status of FreeBSD 8.x is one reason why there was a push to release the FreeBSD 10.1 based pfSense 2.2.

    There have been a lot of improvements through the 2.2.x series and pfSense 2.2.6 works well for me on an R200, though I only have a couple of IKEv2 tunnels and use an Intel PCI Express dual Gigabit NIC rather than the on-board Broadcom NICs (as the Broadcom NICs don't support jumbo frames).

    pfSense 2.3 should hopefully be released in the next few months.

  • Should definitely be safe to upgrade, but pay attention to the caveats listed in the upgrade guide. There are a few possibilities for things working in 2.1.x with wrong configs that will no longer work post-upgrade.

  • OK, I will try upgrading the CARP slave first, and run on the slave for a day to test.

  • I upgraded the slave to 2.2.6, and then I realized there were two IPSec aggressive tunnels (only one of them came up).  All of the main mode tunnels came up OK.

    I switched back to the master running 2.1.5 and switched the 2 aggressive tunnels to use OpenVPN instead.  I then switched back to the slave and everything came up OK.

    However, now on the slave running 2.2.6, when I click on the 'e' to edit any Phase2 it always takes me to a blank Phase2 screen instead of the correct Phase2 screen for this tunnel.

    No matter what Phase2 I try to edit it aways takes me to URL:

    This is a blank Phase2 screen with LAN subnet, a blank remote network, AES=auto, SHA1, PFS off, 3600 settings.

    Even if I try to put in a correct URL:

    it still takes me to the exact same blank Phase2 screen.

    I exported the config from the slave and imported it into two other 2.2.6 routers, and the same blank Phase2 screen problem happens on them as well.  Importing the old config from when the slave was running 2.1.5 works fine, and displays Phase2 screens OK.

    Did my config get poisoned somehow during this process?

Log in to reply