Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upgrade from 2.1.5 to 2.3 - Advice for IPSEC

    Scheduled Pinned Locked Moved General pfSense Questions
    3 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Puma
      last edited by

      Hello,

      I have PFSENSE in 2.1.5.
      Before to upgrade to the lastest version, i read changelogs and i would like an advice for IPSEC changes. I use several IPSEC to clients with one P1 and multiples P2, negotiation mode : main, NAT T disabled.

      • Do you think can i upgrade without problems ?

      • With existing tunnels, IKE version will be IKE v1 ?

      • Moreover, i use CARP / virtual IPS, any problem about it to upgrade ?

      • Have you any further comments in relation to this update ?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • A
        adam65535
        last edited by

        Some issues that I had…  (none related to ipsec which works fine for me and I only use ikev1).  There is a known issue with ipsec if ipsec compression is used on a site from what I read but I am not using compression so I don't know about that.

        IP aliases assigned to a carp IP did not get assigned to the new way that the carp interface is handled so the interface that the IP Alias is assigned to will show as blank.  This is an easy fix though and just requires going to each IP Alias, selecting the CARP IP for the interface, and saving the IP Alias (Do that for each IP Alias you have assigned to a carp IP).

        If you configured OpenVPN to use a net30 (/30 subnet for each client) for the topology then the upgrade will change it to 1 IP per client (Subnet - One IP Address per client in a common subnet).  It is an easy fix to change it back to (net30 - Isolated /30 network per client) and save.

        The only big issue I had is some amount of traffic getting dropped when an igb interface went to high IRQ load dropping packets with low to minimal traffic but I am hoping that is related to an old igb driver tweak from 2.1.5 where I reduced hw.igb.num.queues to 2 in /boot/loader.conf.local (which is not needed any more with 2.2 and 2.3.  I just removed that entry and I am testing that now.  The primary is still at 2.1.5 and working well when I switch back to it.  CARP is working just fine failing back and forth between 2.1.5 and 2.3 for me (after I fixed the IP aliases problem above).

        EDIT: I assume you have read all the sticky stuff at the top of the Installing and Upgrades part of the forum.

        1 Reply Last reply Reply Quote 0
        • P
          Puma
          last edited by

          Thanks for your feedback

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.