Hi,

nice to hear that you have to do it, please give a feedback how it works. ;D

regards max

Hi,

problem found.
There is Carp running and when a LAN conenction is dropped there was a failover from carp instead of the second line.

On the second host the IPsec was not configured completly

best regards
Thomas

I can recall not being able to access the webinterface of some TPLink (cheap) APs over an IPSec VPN once, the problem turned to be related to the MTU size. Had to play around with the MSS clamping value to get it to work.

If this is the case, Wireshark captures would help a lot your troubleshooting

Thank you! If a diff is made available, I'll gladly test it and report back :)

Edit: This was just a figment of netcat. Happens locally too.

~~One more hint: What are these Xs?

192.168.37.2# nc -l -p 1234 -uvvv listening on [any] 1234 ... 192.168.40.2: inverse host lookup failed: Unknown host connect to [192.168.37.2] from (UNKNOWN) [192.168.40.2] 49339 XXXXXhello ^C sent 0, rcvd 11 192.168.40.2# echo hello | nc 192.168.37.2 1234 -u -vvv Connection to 192.168.37.2 1234 port [udp/*] succeeded! ^C ```~~

I would give the whole idea a second/third/fourth/fifth thought… Benefits with current state of IPSec in pfSense (and strongswan in general) are about zero (and you must be doing something seriously wrong to have similar issues with OpenVPN in the first place.) Not to mention the royal PITA with configuration.

@uk26:

it appears PFsense is not able to route IPsec to additional interfaces (OP1)

Of course you can, tens of thousands of people's networks including our own wouldn't work if that were true. There is some other difference between what you had and what you have now.

I can't believe all of the options available. It is ridiculous. Guidance seems minimal as well. If we need all of the options then great! Create recipes of known good configurations. Otherwise learning curve is like pole-vaulting a football field.

This resource has pictures!
Steve Friedl's Unixwiz.net Tech Tips
An Illustrated Guide to IPsec
http://www.unixwiz.net/techtips/iguide-ipsec.html

Hmmm, For the German (Deutsch) speakers out there. I think I lost something in google translate.
http://www.heise.de/security/artikel/Einfacher-VPN-Tunnelbau-dank-IKEv2-270056.html

You will need to provide much more information about your IPsec configuration, including which client you used or how you configured the native client.

For Windows 8+, the doc wiki article on using IKEv2 with EAP-MSCHAPv2 is likely the best choice for using IPsec built into Windows. Be sure to follow the setup exactly.

i'm not sure, is it possible that the } - char is missing in the charon section of /var/etc/ipsec/strongswan.conf so that (prob.) the setting becomes invalid?


That's generally not something you'll find outside of Cisco devices. It's not good to tunnel over TCP anyway, stick with UDP.

Everyone,

Thank you very much for your help!

My understanding is that this https://forum.pfsense.org/index.php?topic=99477.0 post discusses the same type of issue.

In the second post, Derelict says that you can 1:1 NAT map the remote LAN, and present their remote subnet as something else:

As far as I know, at least one of the SonicWALLs will have to 1:1 NAT their LAN and present it as something else so pfSense doesn't have two routes to the same subnet.

If the client does this (or remaps the subnet) we should have no conflicts with the other two subnets, correct? Are there any other avenues/solutions to make a broad change to a large range of IP addresses on a subnet?

Thanks again!

Anyone at all have any suggestions?

I need to

Get the public IP from the cisco unit presented by the pfsense box for VPN connectivity Configure a way for the private IP to connect to the remote sites

Thank you very much for that information.

What is slightly more confusing to me is why the order of the definitions in the ipsec.conf file should affect the operation of the links. I am still investigate this and a few other issues relating to the VPNs and I will report back once I have some solid information. Unfortunately, I only get limited time each week to look into these problems.

I am observing what is well documented as a memory leak in charon. I am assuming this will eventually be resolved. I am observing some strange NAT issues with the VPNs. At this stage I am just working around these problems. I am investigating a strange issue where VPN tunnels stop passing traffic and then mysteriously start again when a new TCP session opens via the same tunnel. I am investigating the issue with the order of the IPsec definitions and why this should alter the behaviour of the VPN system as a whole.

As I said, thank you for the response it will be very useful. Also thanks for the work on pfsense - it is a great product. If I can get the IPsec working reliably it will be a perfect product!

Tim