IPSEC tunnel problem after upgrade to version 2.2.6



  • Hello.

    I have an IPSEC tunnel that was working till yesterday when I upgrade my PFSENSE to version 2.2.6.

    My tunnel have got configured  NAT/BINAT like this under Local Network in Phase 2 Config.

    172.31.244.104/29

    As far as I know the first IP address PFsense is going to use to present itself at the other side of the tunnel is: 172.31.244.105

    My counterpart at the other side of the tunnel email me saying Iam trying to connect to his network using 172.31.244.104 and he have configured is firewalls to let me in using 172.31.244.105.

    I insist this tunnel was working perfectly until upgrade to 2.2.6

    There is any chance that this could be a bug in the new version?

    Thanks for your time,

    Daniel.

    MODIFICATION: - Start
    –-----------------

    We have modified both sides of the tunnel to match 172.31.244.105/32 instead of 172.31.244.104/29 in NAT/BINAT under Local Network in Phase 2 Config.

    With this modification the tunnel is up and running perfectly.

    Pherpaps PFSENSE is using IP 172.31.244.104 as the first valid IP address to 172.31.244.104/29 subnet in the new version 2.2.6?

    MODIFICATION - End






  • What version did you upgrade from? That code hasn't changed in quite some time other than fixing a couple edge cases that didn't work at all previously. Do you have any outbound NAT rules on the IPsec interface? Firewall>NAT, Outbound tab.



  • Thanks for your reply.

    We upgrade from version 2.2.3 -> 2.2.6

    Not at all. There is any rule in Firewall->Nat, Outbound tab for IPSEC Interface.

    As I said in the original post. This configuration was working perfectly BEFORE the upgrade. After that my counterpart at the other side of the tunnel start complain that I wasn't use the right IP Address to access his network.

    The problem was solved changing the Local Network config at phase 2, changing the subnet /29 just to a single IP address. We have to do it at both sides of the tunnel, ofcourse.

    The firewall at the other side of the tunnel is a Fortinet, and we had a hard time making the tunnel work in the past (with PFSense 2.2.3), but when it start to work it was rock solid.

    Looking at:

    2.2.3 - release notes
    2.2.6 - release notes

    I notice that StrongSwan upgrade from version 5.3.2 in PFSense 2.2.3 to version 5.3.5 in PFSense 2.2.6. Pheraps there is some change there.


Log in to reply