Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC tunnel problem after upgrade to version 2.2.6

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Daniel1972
      last edited by

      Hello.

      I have an IPSEC tunnel that was working till yesterday when I upgrade my PFSENSE to version 2.2.6.

      My tunnel have got configured  NAT/BINAT like this under Local Network in Phase 2 Config.

      172.31.244.104/29

      As far as I know the first IP address PFsense is going to use to present itself at the other side of the tunnel is: 172.31.244.105

      My counterpart at the other side of the tunnel email me saying Iam trying to connect to his network using 172.31.244.104 and he have configured is firewalls to let me in using 172.31.244.105.

      I insist this tunnel was working perfectly until upgrade to 2.2.6

      There is any chance that this could be a bug in the new version?

      Thanks for your time,

      Daniel.

      MODIFICATION: - Start
      –-----------------

      We have modified both sides of the tunnel to match 172.31.244.105/32 instead of 172.31.244.104/29 in NAT/BINAT under Local Network in Phase 2 Config.

      With this modification the tunnel is up and running perfectly.

      Pherpaps PFSENSE is using IP 172.31.244.104 as the first valid IP address to 172.31.244.104/29 subnet in the new version 2.2.6?

      MODIFICATION - End

      screenshot.195-2.png
      screenshot.195-2.png_thumb
      screenshot.196.jpg
      screenshot.196.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        What version did you upgrade from? That code hasn't changed in quite some time other than fixing a couple edge cases that didn't work at all previously. Do you have any outbound NAT rules on the IPsec interface? Firewall>NAT, Outbound tab.

        1 Reply Last reply Reply Quote 0
        • D
          Daniel1972
          last edited by

          Thanks for your reply.

          We upgrade from version 2.2.3 -> 2.2.6

          Not at all. There is any rule in Firewall->Nat, Outbound tab for IPSEC Interface.

          As I said in the original post. This configuration was working perfectly BEFORE the upgrade. After that my counterpart at the other side of the tunnel start complain that I wasn't use the right IP Address to access his network.

          The problem was solved changing the Local Network config at phase 2, changing the subnet /29 just to a single IP address. We have to do it at both sides of the tunnel, ofcourse.

          The firewall at the other side of the tunnel is a Fortinet, and we had a hard time making the tunnel work in the past (with PFSense 2.2.3), but when it start to work it was rock solid.

          Looking at:

          2.2.3 - release notes
          2.2.6 - release notes

          I notice that StrongSwan upgrade from version 5.3.2 in PFSense 2.2.3 to version 5.3.5 in PFSense 2.2.6. Pheraps there is some change there.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.