2.2.6 - some IPsec phase 2 entries won't come up - how to troubleshoot?

  • Looking for some guidance on troubleshooting phase 2 entries that won't establish.  I have a single IKEv1 tunnel to a Palo Alto firewall.  I have a bunch of individual phase 2 SAs defined for various subnets that I need to tunnel – the PA supports "route based" VPN (i.e. each endpoint is part of a /30 or similar and you simply route various other subnets across that tunnel) but pfSense doesn't support this (as far as I'm aware?), so I have to define the individual subnets I need to reach on the remote side.

    Several of the phase 2 SAs are up and established, but at least one of them isn't coming up.  It's configured in the same manner as the others, with the same options, so I'm not sure where the problem lies here.

    What individual "services" in the IPsec settings do I need to increase logging on to help track this down?  I've turned "SA Manager" and "IKE SA" and "IKE Child SA" up to both "diag" and then "raw" and wasn't getting anything enlightening... but maybe I just don't know how to read it?

Log in to reply