[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pfsense-support
Subject:    Re: [pfSense Support] Odd VPN setup - suggestions needed.
From:       Angelo Turetta <aturetta+pfsense () bestunion ! it>
Date:       2008-03-27 16:21:55
Message-ID: 47EBC9A3.1000206 () bestunion ! it
[Download RAW message or body]

Eric Baenen wrote:
> I originally tried setting up five separate IPSEC VPN channels between the core \
> firewall and the lab 8 firewall - each one assigned to a separate subnet in Lab 8 - \
> but none of them worked.  Based on the IPSEC VPN log entries it seemed the firewall \
> was getting confused about which key to use with which channel.  All of the VPN \
> links had the same local and remote gateways. 
> When I disabled all but the VPN channel between the core subnet and 192.168.100.x - \
> that link came up and works fine.  Activate a second and neither works.

This is a known limitation of the current WebGUI. The IPSEC 
infrastructure is perfectly capable of doing multiple phase2 negotiation 
(one per subnet) after a single phase1 (mutual authentication of the two 
endpoints), but the xml-config/web-interface is not. I once had some 
patches, but only to filter.inc (no user interface).

Try toggling 'Prefer old IPsec SAs' in the advanced config (on one or 
both sides), it might benefit your situation (or not at all :).

Angelo Turetta

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe@pfsense.com
For additional commands, e-mail: support-help@pfsense.com


[prev in list] [next in list] [prev in thread] [next in thread]