Project

General

Profile

Actions
Copy link

Bug #6275

closed

Disconnected IPsec phase 2 entries are not shown in IPsec status

Added by Yvan Masson over 8 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.6.0
Start date:
04/27/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Affected Version:
Affected Architecture:

Description

Hi,

First, many thanks for making this great tool.

I have an IPsec phase 1 containing three phase 2 entries. These three phase 2 entries use exactly the same settings, except for the "local network" which is different each time (see below).

The problem is: when the third phase 2 entry is down, then it does not appear in "Status -> IPsec". All other phase 2 entries appear fine.

I already tried with no luck:
- deleting and recreating the phase 2 entry
- restarting the service

Using command line, I can connect the phase 2 (ipsec up con 3002). After that, it appears like the others in "Status -> IPsec".

The exact same configuration has been done on other pfSenses 2.1 (I know it is old) with no problem. I will try to upgrade to 3.0 as soon as I can, but I do not when it will be: as the web UI has been reworked, it will probably work as expected.

Do not hesitate to ask if I can provide more information.

Regards,
Yvan

PS: the three phase 2 configuration:

...
<phase2>
    <ikeid>3</ikeid>
    <mode>tunnel</mode>
    <localid>
        <type>opt2</type>
    </localid>
    <remoteid>
        <type>network</type>
        <address>192.168.99.0</address>
        <netbits>24</netbits>
    </remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option>
        <name>3des</name>
    </encryption-algorithm-option>
    <encryption-algorithm-option>
        <name>cast128</name>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>1200</lifetime>
    <pinghost/>
    <descr><![CDATA[R&eacute;gion]]></descr>
    <uniqid>5614fa60a3da1</uniqid>
    <reqid>3</reqid>
</phase2>
<phase2>
    <ikeid>3</ikeid>
    <uniqid>572076cd23e33</uniqid>
    <mode>tunnel</mode>
    <reqid>4</reqid>
    <localid>
        <type>lan</type>
    </localid>
    <remoteid>
        <type>network</type>
        <address>192.168.99.0</address>
        <netbits>24</netbits>
    </remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option>
        <name>3des</name>
    </encryption-algorithm-option>
    <encryption-algorithm-option>
        <name>cast128</name>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>1200</lifetime>
    <pinghost/>
    <descr><![CDATA[Atos]]></descr>
</phase2>
<phase2>
    <ikeid>3</ikeid>
    <uniqid>572078c3c6414</uniqid>
    <mode>tunnel</mode>
    <reqid>5</reqid>
    <localid>
        <type>opt1</type>
    </localid>
    <remoteid>
        <type>network</type>
        <address>192.168.99.0</address>
        <netbits>24</netbits>
    </remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option>
        <name>3des</name>
    </encryption-algorithm-option>
    <encryption-algorithm-option>
        <name>cast128</name>
    </encryption-algorithm-option>
    <hash-algorithm-option>hmac_md5</hash-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>1200</lifetime>
    <pinghost/>
    <descr><![CDATA[Atos2]]></descr>
...

Actions
Copy link

Also available in: Atom PDF