Bug #3420
closed
Phase 1 doesn't start if phase 2 local network doesn't include a locally accessible IP
0%
Description
My example to better understand :
- I have an IPsec VPN with the right phase 1 and phase 2 parameters
- In phase 2, for local network, I choose the type network ans the network 172.30.28.0/22
- In the pfsense network configuration I have one interface with 172.30.64.1/24 (doesn't include any IP of 172.30.28.0/22)
- and a route for 172.30.0.0/16 that goes through the gateway 172.30.64.2 (include 172.30.28.0/22 but not locally accessible)
When I start the VPN, I have no log related to this vpn entry, however, the status page displays it with the little yellow "Error" cross and no "Connect VPN" button close to it
Workaround :
- Add a new (fake) interface and configure it with this ip : 172.30.31.254/31 (within 172.30.28.0/22)
That's all, the vpn starts and works properly.
Updated by Jim Pingle over 11 years ago
- Status changed from New to Rejected
There is nothing we can do for that currently. It has to be able to source a ping from the firewall to bring up the tunnel automatically. If there is no IP on the firewall inside the Phase 2, it can't send anything to attempt to raise the tunnel.