IPsec

• Q

  inbound traffic with NAT/BINAT translation via IPsec
  • qsthensel

  1
  0
  Votes
  1
  Posts
  1
  Views

  No one has replied

• A

  IPSect Site to Site (Slow Upload) - (Fast Download) issue
  • AMD_infinium05

  24
  0
  Votes
  24
  Posts
  281
  Views

  P

  As far as I know MSS Clamping is a workaround to avoid MTU discovery problems. I assumed that you have some filtering in the source-destination path (ICMP was my first thought) that prevent MTU discovery. Since throughtput was assymetric, I expected it to be fairly easy to find what was different and causing the issue at one end.
• 

  IKEv2 IPsec VPN with pfSense and Apple devices
  • jraymonds

  8
  0
  Votes
  8
  Posts
  94
  Views

  

  I think Apple might have broken IKEv2 on macOS ... again. A couple adjustments to this should be made: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ikev2-with-eap-tls.html Set Peer Identifier to User Distinguished name, enter an e-mail address style identifier (e.g. user@example.com) – This isn’t used, but is currently required by the GUI Try setting Peer Identifier to Any. Also, in the IPsec Mobile config, set a DNS server to give to the clients. I set it to an address on pfSense that DNS Resolver is listening on. Also, set the Local ID on the macOS configuration to the CN in the user certificate. That should get you to connect. After that it looks like there is disagreement between the server and the client as to whether NAT-T or ESP is to be used. As far as I can tell, pfSense is doing the right thing here. This seems to correct itself after the first re-key (I think. I haven't dug into the logs to verify this). IDK. Apple keeps messing with the IKEv2 client. I am testing EAP-TLS with Mojave 10.14.3 to pfSense 2.4.4-p2. I have not tried iOS yet.
• R

  IPsec manual routing
  • rsaddoo

  4
  0
  Votes
  4
  Posts
  50
  Views

  I

  my apologies, for some reason i thought IPSec could be done the same as OpenVPN. You may have to accomplish this with static routes or a GRE tunnel.
• B

  IPSec mobile VPN using IKEv2 with EAP-MSCHAPv2
  • bcpi

  7
  0
  Votes
  7
  Posts
  85
  Views

  B

  Got it working finally... Routing all traffic to VPN "issue" was actually something else... Specifying the local domain in Mobile Clients > DNS Default Domain, resolved the problem and now I have a split VPN. Found via this post. The 3DES/SHA1/DH 2 requirement for macOS/iOS seems to only apply to the native clients when doing a direct configuration. If one uses the Apple Configurator 2 app to create a profile, other protocols can be specified. This way I was able to use AES268/SHA256 and drop 3DES/SHA1 -- An IKEv2 + Apple Configurator 2 blog post was helpful, though I ended up using for my *.mobileconfig EAP-MSChapv2 settings with only the CA certificate, instead of EAP-TLS and multiple certificates as that tutorial indicates.
• E

  IPSec site-to-site between PFSense and USG rekey issue
  • eragons

  6
  0
  Votes
  6
  Posts
  278
  Views

  T

  thanks for the update and great looking script! :) I had disabled PFS on both sides and had the VPN running ok but it appeared to stop passing traffic when the P2 timeout expired after 3600 seconds. By adding the rekey @ 540 seconds before expiry I 'think' its now stable. I run approx 25 VPN tunnels from two sites to remote sites and Ive replaced a remote pfsense box with a USG device at one remote site. From one main site ive had 100% uptime 19 hours to the USG Strangely the other main has had drops during the same period - 5,56,45 minutes breaks same IPSEC configuration (all other IPSECs from that site were ok) Both main sites pfsense 2.4.3
• A

  How to set multiple IP pools for RADIUS selection?
  • Abbys

  1
  0
  Votes
  1
  Posts
  32
  Views

  No one has replied

• J

  VPN S2S - P2 Bytes-In: 0 (0 B) Packets-In: 0 Bytes-Out: 0 (0 B) Packets-Out: 0
  • jonathan.posada

  5
  0
  Votes
  5
  Posts
  71
  Views

  J

  @derelict from the firewall fortigate in the capture I see the traffic coming out, but this does not reach the pfsense making the capture by ipsec Origin -> fortigate 192.168.0.0/24 destination -> pfsense 172.16.100.0/27 Something additional currently from that fortigate I have another vpn with another pfsense and it is established without problems these two vpn have the same configuration parameters.
• Z

  IPsec over IPv6
  • zimbo2000

  3
  0
  Votes
  3
  Posts
  58
  Views

  

  As long as it's IKEv2 it should be able to carry mixed traffic in the phase 2 / child SA.
• T

  AWS VPC second tunnel drops after certain amount of time (therefore receiving AWS notifications regarding VPN connections now and then)
  • TomWork

  6
  0
  Votes
  6
  Posts
  105
  Views

  S

  Hi Thoms, we have a similar problem with some AWS tunnels. Before the tunnel goes down i see the following message: DPD check timed out, enforcing DPD action Then it looks like the CHILD_SA is restartet, but one minute later the tunnel goes down. IKE_SA con24000[762] state change: ESTABLISHED => DELETING IKE_SA con24000[762] state change: DELETING => DELETING IKE_SA con24000[762] state change: DELETING => DESTROYING AWS Support tells me, that also their DPD detection has been triggered the same time. I really don´t know why this is happening and where to look further. Regards, Sebastian
• C

  3 sites - routed ipsec - automatic redundant failover routing
  • ccb056

  2
  0
  Votes
  2
  Posts
  52
  Views

  M

  I think the way to go is : Created routed IPSec with VTI Implemented some kind of dynamic routing, with BGP or OSPF, assigning different metrics to your path. Videos on theses subjects https://www.youtube.com/watch?v=AKMZ9rNQx7Y https://www.youtube.com/watch?v=4IlKcB17rWk
• M

  VTI Ipsec Dynamic Rules (solved)
  • martintamare

  8
  0
  Votes
  8
  Posts
  76
  Views

  M

  So for people who are facing the same issues. You need both a route on the pfsense (you must be able to see it with netstat -rn) And then, according to your firewall policy rules : if you use the default gateway (*) in your rules : OK if you use a specific gateway or a gateway group : assign a new rule throught the ipsec gateway I think the documentation should mentionned it. I'm not a native english speaker and after reading the doc, I thought, either static routes OR policy rules should work. But it's not an OR, it's an AND :) Regards
• T

  QNAP L2TP/IPSec (PSK)
  • toms88

  1
  0
  Votes
  1
  Posts
  27
  Views

  No one has replied

• S

  connection between ipsec mobile clients
  • serhanb

  1
  0
  Votes
  1
  Posts
  30
  Views

  No one has replied

• J

  SNAT From OpenVPN user to a IPSec tunnel possible?
  • JohnPulse

  6
  0
  Votes
  6
  Posts
  99
  Views

  J

  I have to admit, when I saw your post I thought that having a different number of Phase 2's on both sides would never work! However, it worked perfectly! I can now reach the other side from both my LAN subnet and my OpenVPN subnet. I cannot thank you enough, it was stupid of me trying to crack this one up for so long (weeks literally) when it was so fast to get awesome help here. Hope you have a perfect weekend. Thank you so much for giving me your time and even by trying the setup on your LAB. Regards, John
• M

  Traffic Selector unacceptable.
  • mirtiza

  14
  0
  Votes
  14
  Posts
  144
  Views

  

  No. You need to use a site-to-site to route tunnel networks like you are trying to do. Mobile IPsec assigns one and only one address to a connecting client. It doesn't "route" subnets like a site-to-site tunnel. You need to work around dynamic IP addresses with something like dynamic DNS for each endpoint. Nothing you come up with there will be perfect. Especially if the addresses simply change abruptly. Set each side to update a Dynamic DNS entry pointing to their actual, routable, outside WAN address. Tell each side to connect to the FQDN of the DynDNS entry on the other side. Set each side to use their own FQDN as the IKE identifier locally, and the other side's FQDN as the remote identifier.
• S

  Number of IPSEC's Vpn
  • sbouraoui

  2
  0
  Votes
  2
  Posts
  67
  Views

  

  Depends on the hardware. At least dozens. Possibly hundreds. There is no set limit but there are practical limits that vary by installation (like hardware and webgui performance for managing them all.)
• S

  strange openvpn ipsec routing problem
  • soujiro

  1
  0
  Votes
  1
  Posts
  41
  Views

  No one has replied

• H

  IPSEC Phase 2 Duplicate Causes VPN Tunnel to get stuck
  • Harow

  17
  0
  Votes
  17
  Posts
  446
  Views

  

  @harow Five days in, and no further problems of multiple P2's. The only thing I've changed is that the P1 is set to not initiate (respond only) to rekey. Will update again if this fails again.
• L

  Access to IPSec on VLAN
  • lukeren

  2
  0
  Votes
  2
  Posts
  50
  Views

  L

  Solved it by adding a P2 for the LAN and blocking all traffic except 1812/tcp from the AP.
• T

  IPsec failover - without dyndns
  • TheTomTom

  2
  0
  Votes
  2
  Posts
  106
  Views

  T

  I would think that would work, though I have not tried automating anything like that. I have successfully used dynamic DNS though. I've currently started learning about IPSEC VTI so I can have routed IPSEC. From the sounds of the documentation, though, you could also have policy based routing: "Policy Routes To policy route traffic across a routed IPsec tunnel, use the assigned IPsec interface gateway in firewall rules as usual for policy routing. See also Directing Traffic with Policy Routing" See here: https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/ipsec-routed.html (Note: I haven't tried that and can't speak to how well it may or may not work)
• S

  Phase 2 rekey takes 180 seconds
  • scourtney2000

  11
  0
  Votes
  11
  Posts
  104
  Views

  

  No. The tunnel interface addresses are specified in the Phase 2 configuration.
• R

  Mobile IPSec working but was expecting _route all_ and that's not happening
  • roveer

  8
  0
  Votes
  8
  Posts
  76
  Views

  

  @roveer said in Mobile IPSec working but was expecting _route all_ and that's not happening: So you actually took the time to reply to my post and to say. You are stupid and you don't read. That's how it came off. Not very helpful. Not all of us are perfect. You need to be aware of your failures so you can avoid them in the future.
• S

  network issues - vti - gateway_alarm restarts all tunnels
  • shalles

  6
  0
  Votes
  6
  Posts
  157
  Views

  S

  Thank you, for your feedback! I will give it a try. Sebastian
• C

  L2TP - IPsec - blocked communication - Interface NG0
  • cigu

  5
  0
  Votes
  5
  Posts
  75
  Views

  C

  Thanks Konstanti. I reload Outband and start to working. Thanks a lot!
• S

  IPSEC mobile client in transport mode: possible? No subnets defined somehow
  • sgw

  17
  0
  Votes
  17
  Posts
  92
  Views

  K

  @sgw You can always create a static route to the server network , but it is better to do everything correctly so that the server itself sends this information to the client )))
• N

  6th and 7th IPSec tunnel traffic not passing
  • naiw

  4
  0
  Votes
  4
  Posts
  94
  Views

  

  All of your p2's are unique? Are you seeing anything in the logs?
• 

  Wireless Internal Protection + Remote User VPN
  • skilledinept

  2
  0
  Votes
  2
  Posts
  39
  Views

  

  Nowhere close to enough information to help. Detail the various parties by IP address/network. You might have to diagram it.
• O

  Clients in OPT1 network not reachable through tunnel
  • OM606

  3
  0
  Votes
  3
  Posts
  88
  Views

  

  If you can ping the far side pfSense interface address but not the hosts behind it it is almost always a firewall on the target host itself (think windows firewall). That or their default gateway is not the pfSense firewall. Since traffic works the other way that pretty much rules that out.
• T

  VPN connects but I can't access pfSense.
  • TomT

  9
  0
  Votes
  9
  Posts
  99
  Views

  Z

  Thanks As far as I can tell the WebConfigurator CA is added to me device. Not sure why this works on the LAN and Wifi, but not VPN. I'd appreciate any help with this. Thanks
• A

  Can a remote VPN user (client) access other VPN IPSEC site to site?
  • alessdom

  3
  0
  Votes
  3
  Posts
  80
  Views

  A

  Thanks!, I've found a similar solution that doesn't require partner side intervention. I've added customer network in OpenVpn : Tunnel Network 10.0.2.0/24 Local Network: 10.0.1.0/24, 172.25.0.0/16. Then I've added Phase 2 with NAT: Local Network 10.0.2.0/24 NAT: 10.0.1.0/24 Remote Network: 172.25.0.0/16 It works!
• A

  IPsec VPN to Fortigate
  • Antonio23

  1
  0
  Votes
  1
  Posts
  63
  Views

  No one has replied

• A

  ipsec site to site vpn
  • acp

  8
  0
  Votes
  8
  Posts
  154
  Views

  A

  OK matched the Encryption Algorithm and Hash algorithm and PFS key group again on both pfsesne and cisco and added Lan ip of Cisco to advanced config on pfsese to ping. and it all now works, can ping from the firewall on both sides to local internal pcs. but now need to figure out routing from local subnet of site A to local subnet of site B and vice versa
• L

  IPSec traffic fails.
  • LCCox

  10
  0
  Votes
  10
  Posts
  129
  Views

  L

  I can't track the other side, that is the Vendor. I don't have control or access to that. I can track the connection the company location that fails, but it is up at the moment. No problems right now.
• J

  Amazon VPC shows connected but no traffic passes
  • jwilson_chess

  2
  0
  Votes
  2
  Posts
  60
  Views

  J

  I've tried restarting the tunnels but still get zero packets through. Is this a routing issue or something else?
• S

  Mobile IPSec VPN works but does not follow 302 redirects
  firewall nat ipsec vpn mobil • • svarto

  26
  0
  Votes
  26
  Posts
  255
  Views

  S

  @Konstanti I attach a network diagram of my setup to make it clearer. This is what is weird, when I connect to the VPN from my phone on 4G (option 1 in the attached diagram), I don't get errors any errors just timeouts. I can access everything on the internal LAN and internet, except, I cannot login into certain webservices. When I enter my password and press login, it just stalls - the browser says it is "thinking / loading" and then nothing happens. After a long time I get a "Server not found" error in the browser. However, when I am on my phone on the internal wifi over the VPN (option 2), then I click login and get redirected instantly to the dashboard of the webapp. I can also reach the webapp from outside my network as I have a reverse proxy (option 3), and this works fine. The reason I want to set up the Mobile IPSec VPN is that I want to close down the reverse proxy I have set up so that I can only access my webservices over the VPN and not anymore expose them directly to the internet.
• 

  IPSec VTI: IPv4 Working/IPv6 NFW
  • MMapplebeck

  5
  0
  Votes
  5
  Posts
  122
  Views

  

  I'm assuming this is a feature that just isn't supported by pfSense yet then. That would be a safe assumption where VTI was just introduced in 2.4.4 I'm going to test the native IPv6 P1 and see if that changes anything, if not, I'll look at some other manner of carrying and distributing my IPv6 routes. I may just end up using a GIF tunnel for my IPv6, and I should still be able to use OSPF6 on the GIF interface.
• M

  TCP issue inside the tunnel
  • monster4000

  11
  0
  Votes
  11
  Posts
  157
  Views

  M

  Hello MSS seem to done the trick, what is MMS? I already had the other change due to proxmox kvm
• C

  IPSec Mobile VPN client cannot go to OPT1 network
  • CheeMG

  5
  0
  Votes
  5
  Posts
  136
  Views

  

  Yup. Windows 10 requires manual manipulation of the client routes in powershell. It's an extremely helpful feature.
• Y

  IPSEC VTI disable gateway monitoring ?
  • Yathus

  1
  0
  Votes
  1
  Posts
  76
  Views

  No one has replied