Bug #4112
closed
ipsec, strongswan (sometimes) needs a 'conn' section with a unique reqid for each phase2
0%
Description
ipsec, strongswan (sometimes) needs a 'conn' section with a unique reqid for each phase2
I've been trying to replace pfSense 2.1.5 with 2.2 and found that for 1 of my ipsec connections only the first phase2 was working correctly. (For another ipsec connection it does work with multiple phase2 connections..)
When creating the config with a separate 'conn' section for each phase2 then all work properly (also the one that did work before with multiple phase2 subnets configured in 'rightsubnet=' ..)
Not sure if its related but the 'problematic' tunnel uses UDP, ipsec status reports: 'INSTALLED, TUNNEL, ESP in UDP SPIs xxxxxx'.
Its not (easily) possible in the webgui to create multiple phase1's with the same gateway. (and i dont think i want/need that..)
However that did work..
I think a options needs to be added to allow for writing this kind of config..
I was told was a possible explanation that one of the site-to-site tunnels did work with multiple phase2's in rightsubnet= was due to it possibly supporting a proprietary extension CISCO UNITY to allow several subnets.. But i'm not sure if thats indeed the case..
I only control one side of the connections, and in this case don't know what kind of device is on the remote side..
If logging or other information is required i can try and add those. (but am hesitant to provide public-ip and 'data' shown in the logs..)
Updated by Chris Buechler almost 10 years ago
- Assignee set to Chris Buechler
the subject here isn't what the problem really is, but there is some kind of interoperability issue with multiple P2s under some circumstances that needs to be tracked down. To me for testing
Updated by Chris Buechler almost 10 years ago
- Status changed from New to Closed
source of issue is #4129