Project

General

Profile

Actions
Copy link

Bug #8472

closed

IPsec with "Split connections" enabled (multiple P2's) - new added P2's are not coming up (between two pfsense's 2.4.3)

Added by Vladimir Lind over 6 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.5.0
Start date:
04/19/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.3
Affected Architecture:

Description

When a new P2 is created it is not appearing in active SA's.

For example - P2 is added for 10.200.136.0/24|/0 === 10.201.138.0/23|/0

It is somehow "intercepted" by 10.200.138.0/23|/0 === 10.201.138.0/23|/0 though 10.200.138.0/23 doesn't overlap with 10.200.136.0/24:

con1008: child: 10.200.136.0/24|/0 === 10.201.138.0/23|/0 TUNNEL, dpdaction=restart
con1008{6421}: ROUTED, TUNNEL, reqid 15
con1008{6421}: 10.200.136.0/24|/0 === 10.201.138.0/23|/0

con1008{6383}: INSTALLED, TUNNEL, reqid 15, ESP in UDP SPIs: ce81bb5b_i c31e54e7_o
con1008{6383}: AES_CBC_256/HMAC_SHA2_256_128/MODP_1024, 38448 bytes_i (208 pkts, 10s ago), 48680 bytes_o (206 pkts, 10s ago), rekeying in 29 minutes
con1008{6383}: 10.200.138.0/23|/0 === 10.201.138.0/23|/0

When deleting P2 for 10.200.138.0/23|/0 === 10.201.138.0/23|/0 and creating it again - either P2's for 10.200.138.0/23 and 10.200.136.0/24 are "intercepting" by another third P2.

Disabling "Split connections" workarounds it.

Files

status_output (49).tgz (737 KB) status_output (49).tgz Vladimir Lind, 04/19/2018 11:08 AM
Actions
Copy link

Also available in: Atom PDF