IPsec failure after upgrade to 2.3 - resolved
-
https://forum.pfsense.org/index.php?topic=111262.0
is a topic in this forum "Version 2.3 IPSec both sides" started by "cpirasa"
where I commented with "I have the same problem …"
After that I was trying to resolve it and finally it is working again.I have 2 pfSense firewalls (both on PC engines boards) and I had working
IPsec between them on version 2.2.6
After I upgraded both of them to 2.3 IPsec would not connect.
Below are logs the from both sides.May 4 11:47:27 charon 15[IKE] <con3000|20>received NO_PROPOSAL_CHOSEN error notify
May 4 11:47:27 charon 15[ENC] <con3000|20>parsed INFORMATIONAL_V1 request 3826032390 [ N(NO_PROP) ]
May 4 11:47:27 charon 15[NET] <con3000|20>received packet: from xxxx [500] to xxxx [500] (40 bytes)
May 4 11:47:27 charon 15[NET] <con3000|20>sending packet: from xxxx [500] to xxxx [500] (180 bytes)
May 4 11:47:27 charon 15[ENC] <con3000|20>generating ID_PROT request 0 [ SA V V V V V ]
May 4 11:47:27 charon 15[IKE] <con3000|20>initiating Main Mode IKE_SA con3000[20] to xxxx
May 4 11:47:27 charon 07[KNL] creating acquire job for policy xxxx /32|/0 === xxxx /32|/0 with reqid {9}May 4 11:47:27 charon 12[NET] <15> sending packet: from xxxx [500] to xxxx [500] (40 bytes)
May 4 11:47:27 charon 12[ENC] <15> generating INFORMATIONAL_V1 request 3826032390 [ N(NO_PROP) ]
May 4 11:47:27 charon 12[IKE] <15> no IKE config found for xxxx … xxxx , sending NO_PROPOSAL_CHOSEN
May 4 11:47:27 charon 12[ENC] <15> parsed ID_PROT request 0 [ SA V V V V V ]
May 4 11:47:27 charon 12[NET] <15> received packet: from xxxx [500] to xxxx [500] (180 bytes)I tried changing configs, restarting the service, … nothing helped !
I am only guessing, but I think the important info in the logs was no IKE config found.
I made the steps which made it work again on the side where this was in the logs.
Here they are:- stop the ipsec service
- delete all IPsec configuratios
- restart the firewall
- enter all config again
- restart ipsec service
I do not know if all steps are really necessary, but this is exactly what I did and it helped me.
Maybe it will help someone else …Regards Miro
http://www.rsmm.si</con3000|20></con3000|20></con3000|20></con3000|20></con3000|20></con3000|20>