@tbaror said in Tunnel issue with Pfsense on premise to aws: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0 Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other: Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0 Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ] Looks like the AWS side is set for 10.13.0.0/16 <-> 10.110.0.0/16 but your local config is set for 10.13.0.0/16 <-> 10.109.0.0/16. It doesn't match so that child SA (P2) request is rejected.

Thank you for your reply, here's the scenario: I have 4 subnets LAN: 172.16.9.0/24 MGMT: 172.16.121.0/24 LAB1: 172.16.122.0/24 LAB2: 172.16.123.0/24 I want to route internet traffic for one of my servers in "LAB2" through IPSec, when the tunnel comes up the internet traffic for this server goes through the IPSec tunnel and works perfectly, but none of my machines in the other subnets cannot communicate with that server, I've tried everything in firewall rules but not hope.

Keep in mind that in case your pinged devices are Winblows machines that ICMP protocol (Ping) is fully blocked there by default in the local firewall. You explicitly need to allow ICMP traffic there in the setup ! (local and remote IP Ranges to "any" or your specific source lan addresses) Also the Winblows firewall generally blocks all traffic which has different source IPs then the local network they are in. Keep that in mind if you need access to file sharing or printer service etc. So best practice is always to ping the local router interfaces or destination IPs from devices without firewall like printers, wlan ap's etc. from the Diagnostics --> Ping menü. This also makes sense cause you can alter the source IPs to your local LANs here.

@awebster Thank you so much, great info. I've abandoned S2S for now, as I've spent way too much time on it and have to deal with a bunch of stuff that has piled up in the meantime. Mobile client is working (almost) perfectly, and I'm super pleased with the throughput. A couple responses: oh boy have i rebooted. Managed switch is telling me 140 link state changes -- since the last time i rebooted the switch. :-) Mostly because I've read some messages with confusion about how to properly restart IPSEC, and reboot means it for sure restarted. MTU... no packet loss using Mobile Client, all defaults. My cable modem (remote side) is 1500. HQ is a fiber connection that I don't manage, but between pfSense and the USG Pro i have confirmed that it's 1500. Even so, seems like I should have to account for encapsulation overhead.... but it seems to be working. I mean, maybe the USG is just handling the fragmentation well, but I feel like I would not have the performance that I'm getting if so. Cheers

Hi Konstanti, have you seen the data ? regards Maurizio

@rodrigocar said in IPSEC gateway loop and high latency: We have a PFsense as firewall+VPN and use IPSec to close a conection with our datacenter (Site to Site). We notice a high latency beetwen us and our servers on the datacenter. This wasn't happening before, the problem started about 1-2 months ago. The ping response stays on 150ms and if I run a traceroute I notice that it pass through the GW (192.168.0.254) - 0.358ms, loops again to the GW (192.168.0.254) but the response time is 160ms and then arrives on the other side with a response time of 164ms. I've ruled out hardware and firewall rules problems because I installed PFsense on another machine from scratch and did only the IPSec configuration, the results was the same. I attached a print with the results. FYI PFSense 2.4.4-RELEASE-p3 Hardware CPU Type Intel(R) Xeon(R) CPU E5620 @ 2.40GHz 8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads Memory - 16GB Any help is welcome... thanks everyone!!! ipsec.png Anyone can help me with that problem?

The tests I made was using UDP. I did the same with TCP ans it seems there is a mimitation at 25mb/s udp test with public : root@client ~ # iperf -c public_ip -b 400M -u ------------------------------------------------------------ Client connecting to public_ip, UDP port 5001 Sending 1470 byte datagrams, IPG target: 28.04 us (kalman adjust) UDP buffer size: 8.00 MByte (default) ------------------------------------------------------------ [ 3] local private_ip port 10012 connected with public_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 500 MBytes 419 Mbits/sec [ 3] Sent 356661 datagrams [ 3] Server Report: [ 3] 0.0-10.0 sec 485 MBytes 406 Mbits/sec 0.064 ms 10375/356661 (2.9%) [ 3] 0.00-10.02 sec 18 datagrams received out-of-order root@client ~ # udp test with private ip : root@client ~ # iperf -c private_ip -b 400M -u ------------------------------------------------------------ Client connecting to private_ip, UDP port 5001 Sending 1470 byte datagrams, IPG target: 28.04 us (kalman adjust) UDP buffer size: 8.00 MByte (default) ------------------------------------------------------------ [ 3] local private_ip port 33804 connected with 192.168.1.3 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 500 MBytes 419 Mbits/sec [ 3] Sent 356660 datagrams [ 3] Server Report: [ 3] 0.0-10.3 sec 283 KBytes 226 Kbits/sec 611.953 ms 356462/356659 (1e+02%) root@client ~ # tcp test with public ip : root@client ~ # iperf -c public_ip -b 400M ------------------------------------------------------------ Client connecting to public_ip, TCP port 5001 TCP window size: 85.0 KByte (default) ------------------------------------------------------------ [ 3] local private_ip port 52622 connected with public_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 30.4 MBytes 25.4 Mbits/sec root@client ~ # tcp test with private ip : root@client ~ # iperf -c private_ip -b 400M ------------------------------------------------------------ Client connecting to private_ip, TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 3] local private_ip port 12658 connected with private_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 29.5 MBytes 24.7 Mbits/sec root@client ~ # Very strange. Any idea ?

I could solve the problem: The configured remote address was wrong. But pfsense seems to have a standard config, because in the log it says, that pfsense is using %any config or something. Is that normal? Thanks! Ketanest

The best thing to do would be to figure out why it's disconnecting and correct that. The logs would be helpful with that. Failing that, you can use the ipsec up and ipsec down command on 2.4.x to up/down single tunnels, for reference look at how it's done when clicking the buttons on on status_ipsec.php https://github.com/pfsense/pfsense/blob/RELENG_2_4_4/src/usr/local/www/status_ipsec.php#L54 On 2.5.0 it's similar but there it uses swanctl --initiate and swanctl --terminate

@coreybrett PF uses an enc0 interface to filter all ipsec traffic. (classic ipsec tunnel, VTI). em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:7e:d9:81 hwaddr 08:00:27:7e:d9:81 inet6 fe80::a00:27ff:fe7e:d981%em1 prefixlen 64 scopeid 0x2 inet 10.3.100.1 netmask 0xffffff00 broadcast 10.3.100.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active enc0: flags=41<UP,RUNNING> metric 0 mtu 1536 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: enc Therefore, all filtering rules are created on the IPSEC tab ( including for VTI).

@AceStrider1 said in Foward all public IP traffic to a remote server via IPsec: 10.30.10.31 Hello To solve this problem, I would recommend that you use a routed connection type. For example, OpenVpn, GRE over IPSEC or VTI. Then it will be possible to redirect all traffic coming on 64.64.64.26 to the server 10.30.10.31. It is necessary to use NAT OUTBOUND on the tunnel interface because otherwise the traffic from 10.30.10.31 will return through 32.32.32.32. This is a feature of the PF implementation ( the reply-to function does not work on virtual interfaces) Here is an example of traffic forwarding and using outgoing NAT ( Linux Iptables) through a GRE tunnel. 37.XXX.YYY.ZZZ = 64.64.64.25 192.168.1.230 = 10.30.10.31 10.10.100.2 = internal ip address of the GRE interface. prerouting = port forwarding postrouting = NAT OUTBOUND *nat :PREROUTING ACCEPT [0:0] -A PREROUTING -d 37.XXX.YYY.ZZZ -p tcp -m multiport --destination-port 25,465,587,993 -j DNAT --to-destination 192.168.1.230 :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o tun100 -p tcp -m multiport --destination-port 25,465,587,993 -d 192.168.1.230 -j SNAT --to-source 10.10.100.2

Issue resolved, It seems that AES-256 doesn't translate NAT/BINAT with DH-Group 2 I changed the DH-Group to 14 and the issue solved.