Project

General

Profile

Actions
Copy link

Bug #8472

closed

IPsec with "Split connections" enabled (multiple P2's) - new added P2's are not coming up (between two pfsense's 2.4.3)

Added by Vladimir Lind over 6 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.5.0
Start date:
04/19/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.3
Affected Architecture:

Description

When a new P2 is created it is not appearing in active SA's.

For example - P2 is added for 10.200.136.0/24|/0 === 10.201.138.0/23|/0

It is somehow "intercepted" by 10.200.138.0/23|/0 === 10.201.138.0/23|/0 though 10.200.138.0/23 doesn't overlap with 10.200.136.0/24:

con1008: child: 10.200.136.0/24|/0 === 10.201.138.0/23|/0 TUNNEL, dpdaction=restart
con1008{6421}: ROUTED, TUNNEL, reqid 15
con1008{6421}: 10.200.136.0/24|/0 === 10.201.138.0/23|/0

con1008{6383}: INSTALLED, TUNNEL, reqid 15, ESP in UDP SPIs: ce81bb5b_i c31e54e7_o
con1008{6383}: AES_CBC_256/HMAC_SHA2_256_128/MODP_1024, 38448 bytes_i (208 pkts, 10s ago), 48680 bytes_o (206 pkts, 10s ago), rekeying in 29 minutes
con1008{6383}: 10.200.138.0/23|/0 === 10.201.138.0/23|/0

When deleting P2 for 10.200.138.0/23|/0 === 10.201.138.0/23|/0 and creating it again - either P2's for 10.200.138.0/23 and 10.200.136.0/24 are "intercepting" by another third P2.

Disabling "Split connections" workarounds it.

Files

status_output (49).tgz (737 KB) status_output (49).tgz Vladimir Lind, 04/19/2018 11:08 AM
Actions
Copy link
 #1

Updated by Anonymous over 6 years ago

  • Assignee set to Jim Pingle
Actions
Copy link
 #2

Updated by Jim Pingle over 6 years ago

  • Assignee deleted (Jim Pingle)
  • Target version changed from 2.4.4 to 48

I can sort of reproduce this but not exactly in the way described. For example, if you stop and start (not restart) IPsec then both P2s work. This seems more like a different bug than described. The logs on the initiator side showed that it was making a proper request, the far side said the traffic selectors were unacceptable even though they did show in . After a stop/start it was all working, though. Comparing ipsec statusall output the specifications are identical in both cases but after a stop/start they both are established.

This may just be a side effect of using split tunnel in this way and what strongSwan needs to do to reload the configuration properly with this style. A basic reload may not be enough. We can revisit this in the future, but for now, if it's pfSense to pfSense, don't use split tunnel, and if you must, then stop and restart IPsec after adding P2 entries.

Actions
Copy link
 #3

Updated by Jim Pingle over 5 years ago

  • Target version changed from 48 to 2.5.0
Actions
Copy link
 #4

Updated by Jim Pingle over 5 years ago

  • Category changed from VPN (Multiple Types) to IPsec
Actions
Copy link
 #5

Updated by Jim Pingle almost 5 years ago

  • Status changed from New to Feedback

This needs tested again on a 2.5.0 snapshot after the changes for #9603 are available in a build.

Actions
Copy link
 #6

Updated by Anonymous about 4 years ago

  • Assignee set to Jim Pingle

Please test & confirm

Actions
Copy link
 #7

Updated by Jim Pingle about 4 years ago

  • Status changed from Feedback to Resolved

I recently tested this when checking on #6324 and it works fine on 2.5.0.

Actions
Copy link

Also available in: Atom PDF