Bug #4129: IPsec connections with multiple P2s use only first SA - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Plus - All Open Issues
23.09.1 Target - All Closed Issues
23.09.1 Target - All Open Issues
24.03 Plus - All Closed Issues
24.03 Plus - All Open Issues
24.03 Plus - Feedback Issues
24.03 Plus - Needs Attention/Work
24.03 Plus - New/Confirmed/In Progress Issues
24.03 Plus - Pull Request Review
24.03 Plus - Waiting on Merge
24.03 Target - All Closed Issues
24.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #4129

closed

IPsec connections with multiple P2s use only first SA

Added by Chris Buechler over 9 years ago. Updated over 9 years ago.

Status:

Resolved

Priority:

Very High

Assignee:

Ermal Luçi

Category:

IPsec

Target version:

2.2

Start date:

12/19/2014

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.2

Affected Architecture:

Description

Where you have multiple P2s on a P1, only the first is actually used. The SPD and SAD are correct in setkey's output, but all outbound traffic on a given P1 ends up on the first SA. This breaks all the P2s other than the first. Can confirm via byte counters on SAs, and when testing with certain devices you'll get logs such as "the peer is sending other traffic through this security association" (from an ASA).

Files

StrongSwan ipsec logs2.txt (19.9 KB) StrongSwan ipsec logs2.txt

Logging from StrongSwan with 3 different tests

Pi Ba, 12/20/2014 05:16 PM

History
Notes
Property changes

Actions

Copy link

Updated by Chris Buechler over 9 years ago

probably the best next step, after discussion with Jim T earlier, is to try ipsec-tools on 2.2 and see if the issue persists. A test setup is in place, but not entirely functional. Setup is on 172.27.44.26. racoon.conf, psk.txt, and spd.conf in /root/ there. racoon is via 'pkg install'. It seems to work fine when the other end initiates, but no traffic ever traverses the connection. I didn't change setkey, and I'm guessing that's where the issue is. I'm running short on time for today though. Ermal, please pick up on that. Unless you already know where the issue is and that won't help, then don't bother.

My suspicion is this seems like it's not a problem with strongswan at all, and this would help determine whether that's the case.

Actions

Copy link

Updated by Pi Ba over 9 years ago

To add a little info/reference here from report: #4112, with StrongSwan i was able to make it work in my situation by putting separate 'conn' sections in the config one for each P2. So it might not be required to add ipsec-tools to 2.2. If you guys think thats the better option that is ok for me. However it might be 'better' to use 1 piece of software if it supports everything required, and is only a 'configuration issue' which can be easily solved by writing a different config.

Actions

Copy link

Updated by Pi Ba over 9 years ago

File StrongSwan ipsec logs2.txt StrongSwan ipsec logs2.txt added

I've been checking this a bit more, and did see that with the current way it does work properly for a tunnel that uses 'Cisco Unity'.. For the other P1 is only negotiated once, but does require multiple conn sections. Some 'anonymized' logging attached, with and without separate conn sections, with and without CISCO UNITY from the remote device.

Actions

Copy link

Updated by Pi Ba over 9 years ago

In my test above i created complete separate conn sections in the config file, it seems possible to not repeat all info by using 'also' like described here: [https://lists.strongswan.org/pipermail/users/2012-March/002746.html].

Actions

Copy link