Project

General

Profile

Actions

Bug #4112

closed

ipsec, strongswan (sometimes) needs a 'conn' section with a unique reqid for each phase2

Added by Pi Ba about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Category:
IPsec
Target version:
Start date:
12/14/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:
All

Description

ipsec, strongswan (sometimes) needs a 'conn' section with a unique reqid for each phase2

I've been trying to replace pfSense 2.1.5 with 2.2 and found that for 1 of my ipsec connections only the first phase2 was working correctly. (For another ipsec connection it does work with multiple phase2 connections..)

When creating the config with a separate 'conn' section for each phase2 then all work properly (also the one that did work before with multiple phase2 subnets configured in 'rightsubnet=' ..)

Not sure if its related but the 'problematic' tunnel uses UDP, ipsec status reports: 'INSTALLED, TUNNEL, ESP in UDP SPIs xxxxxx'.

Its not (easily) possible in the webgui to create multiple phase1's with the same gateway. (and i dont think i want/need that..)
However that did work..

I think a options needs to be added to allow for writing this kind of config..

I was told was a possible explanation that one of the site-to-site tunnels did work with multiple phase2's in rightsubnet= was due to it possibly supporting a proprietary extension CISCO UNITY to allow several subnets.. But i'm not sure if thats indeed the case..

I only control one side of the connections, and in this case don't know what kind of device is on the remote side..

If logging or other information is required i can try and add those. (but am hesitant to provide public-ip and 'data' shown in the logs..)

Actions #1

Updated by Chris Buechler about 10 years ago

  • Assignee set to Chris Buechler

the subject here isn't what the problem really is, but there is some kind of interoperability issue with multiple P2s under some circumstances that needs to be tracked down. To me for testing

Actions #2

Updated by Chris Buechler about 10 years ago

  • Status changed from New to Closed

source of issue is #4129

Actions

Also available in: Atom PDF