Project

General

Profile

Actions

Bug #4112

closed

ipsec, strongswan (sometimes) needs a 'conn' section with a unique reqid for each phase2

Added by Pi Ba almost 10 years ago. Updated almost 10 years ago.

Status:
Closed
Priority:
Normal
Category:
IPsec
Target version:
Start date:
12/14/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:
All

Description

ipsec, strongswan (sometimes) needs a 'conn' section with a unique reqid for each phase2

I've been trying to replace pfSense 2.1.5 with 2.2 and found that for 1 of my ipsec connections only the first phase2 was working correctly. (For another ipsec connection it does work with multiple phase2 connections..)

When creating the config with a separate 'conn' section for each phase2 then all work properly (also the one that did work before with multiple phase2 subnets configured in 'rightsubnet=' ..)

Not sure if its related but the 'problematic' tunnel uses UDP, ipsec status reports: 'INSTALLED, TUNNEL, ESP in UDP SPIs xxxxxx'.

Its not (easily) possible in the webgui to create multiple phase1's with the same gateway. (and i dont think i want/need that..)
However that did work..

I think a options needs to be added to allow for writing this kind of config..

I was told was a possible explanation that one of the site-to-site tunnels did work with multiple phase2's in rightsubnet= was due to it possibly supporting a proprietary extension CISCO UNITY to allow several subnets.. But i'm not sure if thats indeed the case..

I only control one side of the connections, and in this case don't know what kind of device is on the remote side..

If logging or other information is required i can try and add those. (but am hesitant to provide public-ip and 'data' shown in the logs..)

Actions

Also available in: Atom PDF