https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162016-05-06T03:49:27ZpfSense bugtrackerpfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=269692016-05-06T03:49:27ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Feature</i></li><li><strong>Subject</strong> changed from <i>IKEv2 multiple traffic selector per SA lead to inappropiate configuration</i> to <i>Improve IKEv2 multiple traffic selector per SA configuration GUI</i></li><li><strong>Target version</strong> changed from <i>2.3.1</i> to <i>2.3.2</i></li></ul><p>The GUI should be as described so it's more clear what you're actually configuring.</p> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=279722016-07-06T16:05:08ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> changed from <i>2.3.2</i> to <i>2.4.0</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=304412017-01-07T12:34:55ZJim Thompsonjim@netgate.com
<ul><li><strong>Assignee</strong> set to <i>Matthew Smith</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=338562017-09-11T15:58:42ZRenato Botelhorenato@netgate.com
<ul><li><strong>Target version</strong> changed from <i>2.4.0</i> to <i>2.4.1</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=342542017-10-12T10:04:25ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.1</i> to <i>2.4.2</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=346042017-10-23T12:19:20ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.2</i> to <i>2.4.3</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=360192018-03-08T14:36:34ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.3</i> to <i>2.4.4</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=377002018-08-14T14:08:29ZAnonymous
<ul><li><strong>Target version</strong> changed from <i>2.4.4</i> to <i>48</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=401162019-03-12T10:54:58ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>48</i> to <i>2.5.0</i></li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=478952020-09-21T14:54:26ZRenato Botelhorenato@netgate.com
<ul><li><strong>Assignee</strong> deleted (<del><i>Matthew Smith</i></del>)</li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=478962020-09-21T14:56:18ZRenato Botelhorenato@netgate.com
<ul><li><strong>Target version</strong> deleted (<del><i>2.5.0</i></del>)</li></ul> pfSense - Feature #6324: Improve IKEv2 multiple traffic selector per SA configuration GUIhttps://redmine.pfsense.org/issues/6324?journal_id=478972020-09-21T15:05:27ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul><p>There is no need for a separate option here. If you check Split Connections it does the right thing on 2.5.0.</p>
<p>It may be OK on 2.4.5 even with that option but it's less likely to be correct as the old ipsec.conf format didn't really accommodate this scenario natively.</p>
<p>For example, without split tunnel, you can see there is one Child SA with all networks configured:</p>
<pre>
con1000 {
fragmentation = yes
unique = replace
version = 2
proposals = aes128gcm128-aesxcbc-curve448
dpd_delay = 10s
dpd_timeout = 60s
reauth_time = 25920s
rekey_time = 0s
over_time = 2880s
encap = no
mobike = no
local_addrs = 198.51.100.6
remote_addrs = 198.51.100.14
pools =
local {
id = 198.51.100.6
auth = psk
}
remote {
id = 198.51.100.14
auth = psk
}
children {
con1000 {
dpd_action = restart
mode = tunnel
policies = yes
life_time = 3600
start_action = trap
remote_ts = 10.14.0.0/24,10.14.101.0/24
local_ts = 10.6.0.0/24,10.6.0.0/24
esp_proposals = aes128gcm128-curve448
}
}
}
</pre>
<p>But with Split Tunnel selected, it creates multiple child SA entries with the correct network pairings:</p>
<pre>
con {
fragmentation = yes
unique = replace
version = 2
proposals = aes128gcm128-aesxcbc-curve448
dpd_delay = 10s
dpd_timeout = 60s
reauth_time = 25920s
rekey_time = 0s
over_time = 2880s
encap = no
mobike = no
local_addrs = 198.51.100.6
remote_addrs = 198.51.100.14
pools =
local {
id = 198.51.100.6
auth = psk
}
remote {
id = 198.51.100.14
auth = psk
}
children {
con0 {
dpd_action = restart
mode = tunnel
policies = yes
life_time = 3600
start_action = trap
local_ts = 10.6.0.0/24
remote_ts = 10.14.0.0/24
esp_proposals = aes128gcm128-curve448
}
con1 {
dpd_action = restart
mode = tunnel
policies = yes
life_time = 3600
start_action = trap
local_ts = 10.6.0.0/24
remote_ts = 10.14.101.0/24
esp_proposals = aes128gcm128-curve448
}
}
}
</pre>