https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162017-11-22T10:52:52ZpfSense bugtrackerpfSense - Bug #8117: IPSec statuspage shows both connected and connecting tunnelhttps://redmine.pfsense.org/issues/8117?journal_id=352112017-11-22T10:52:52ZAnonymous
<ul></ul><p>One thing to try would be in the command shell or in Diagnostics > Command Prompt type the command `swanctl --list-sas` and see what it outputs. The Status IPsec page should show what is listed there.</p>
<p>`swanctl --list-sas` Will show all currently active IKE_SAs.</p>
<p>If its in the connecting state it will look similar to this in the shell<br /><code>con7: #46, CONNECTING, IKEv2, fdb690b0e5add6bb_i* 0000000000000000_r<br /> ...<br /> ...</code></p> pfSense - Bug #8117: IPSec statuspage shows both connected and connecting tunnelhttps://redmine.pfsense.org/issues/8117?journal_id=352152017-11-23T01:47:34ZGes Ture
<ul></ul><p>Hello Stephen,</p>
<p>The same connection as in the picture shows up (twice!) as follows in the cli:</p>
<blockquote>
<p>con59000: #1796, CONNECTING, IKEv1, 6bb51b0a9244e500_i* 0000000000000000_r<br /> local '%any' @ x.x.x.x [500]<br /> remote '%any' @ x.x.x.x [500]<br /> queued: QUICK_MODE<br /> active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD<br />...<br />con59000: #1797, ESTABLISHED, IKEv1, 3b5f72fc4164f640_i 5736bcd0b8a6f6af_r*<br /> local 'x.x.x.x' @ x.x.x.x [500]<br /> remote 'x.x.x.x' @ x.x.x.x [500]<br /> AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br /> established 16s ago, reauth in 28129s<br /> con59000: '#3105, reqid 503, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96<br /> installed 16s ago, rekeying in 2528s, expires in 3584s<br /> in cf1c521f, 729 bytes, 8 packets, 16s ago<br /> out d691774f, 0 bytes, 0 packets<br /> local x.x.x.x/16|/0<br /> remote x.x.x.x/24|/0</p>
</blockquote>
<p>So it seems to be the Strongswan that is at error here, not the status page...</p> pfSense - Bug #8117: IPSec statuspage shows both connected and connecting tunnelhttps://redmine.pfsense.org/issues/8117?journal_id=353102017-12-06T04:59:51ZGes Ture
<ul></ul><p>Any follow up? Will this be reported to Strongswan developers?</p> pfSense - Bug #8117: IPSec statuspage shows both connected and connecting tunnelhttps://redmine.pfsense.org/issues/8117?journal_id=355872018-01-16T12:48:46ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Not a Bug</i></li><li><strong>Target version</strong> deleted (<del><i>2.4.3</i></del>)</li></ul><p>Given the output I'm not sure it's a bug at all. The main connection could accept another remote, given its configuration. It is showing you both the generic configuration and the specific connected instance. Given the nature of the remote being 'any', the main connection can't progress past that "connecting" state since it has no idea where the peer is. You could try to set the Phase 1 as "responder only" to work around that fact.</p> pfSense - Bug #8117: IPSec statuspage shows both connected and connecting tunnelhttps://redmine.pfsense.org/issues/8117?journal_id=358122018-02-13T05:19:35ZGes Ture
<ul></ul><p>It is set to respond only! (but I think previously it was set to initiate!)</p>
<p>This did not happen in the previous versions. I still have no idea whether the tunnel is connected or not, as it still shows both a connected and a connecting version of the <strong>SAME</strong> IPSec tunnel endpoint connection. What's most annoying is the fact that it thinks it is both the initiator and the responder. It should be one or the other, not both, in the latter situation the tunnel is very unstable, as the other side gets both initiating and responding messages as well and therefore keeps resetting the tunnel!</p>
<p><em>The main connection could accept another remote, given its configuration.</em> It is definitely not configured this way, it's the 'bug' that is thinking it's configured this way. As already said, you cannot set the connection to both initiate and respond to the same tunnel endpoint. Still, it's Strongswan (or the ipsec feature) that is in error here.</p>
<p>Note: once I stop and start the VPN service, the duplicates disappear, at least for some time. After a while I could still see the duplicates again.</p>