What do the lines for the network(s) look like in /var/etc/ipsec/ipsec.conf on both sides?

What does ipsec statusall show on both sides?

This is probably one of many things fixed by the IPsec swanctl conversion on 2.5.0, but you may not want to make that leap on production systems yet.

I solved it!

As suspected the problem was in the second P2 that is dealing with the VPN subnet. Each P2 should have a match on the other site but mirrored. And since I needed:

VPN clients connected to Office A to be able to access machines in Office B LAN
and
VPN clients connected to Office B to be able to access machines in Office A LAN

This required a third pair of P2 on both sides.

ipsec_p2_final.png

Thanks @netblues for the ideas!

So looking at the VPN config screen (I use IKEv2), I see under advanced options for Disable Rekey, and Disable Reauth, along with a margintime setting. Is this saying that I just need to select "disable rekey" to make this work correctly??

@jimp

This works, thanks!

alt text

My first thought is your USB ethernet is misbehaving.

How is your IPsec tunnel configured?

If you have them configured on a P1 or P2 they should be proposed and used if needed.

You'll need to show the contents of your /var/etc/ipsec/ipsec.conf and the related IPsec logs to tell anything for sure.

I missed an important detail.. Tipology of IPsec is VTI routed

@kidlat020 said in Change IP address:

This subforum seems to be the closest topic to my problem. Please move if not.

I'm running a net cafe. Somebody from my customer pool was using maphack, and unfortunately it resulted in an IP ban. This means anybody (myself included) is banned from connecting to the game as far as the covered IP is concerned. And yes, my net cafe is under the pfsense area of influence.

I tried logging in using a wireless connection (outside pfsense area of influence) and successfully logged in. Even though both were using the same ISP.

(if anyone's curious, This game was RGC.)

Is there any way to change my IP?

My current setup if this will help:

pfsense LAN IP: 192.168.0.1
pfsense WAN IP: 192.168.1.10

edit: changing LAN IP or WAN IP solved nothing. this is starting to feel weird.

Changing your WAN IP won't do anything as its a RFC1918 address.

@rodak said in IPSec tunnel between two local subnets (no Internet):

Is this a proper setup, or my way of thinking is wrong?

Yepp, thats perfectly correct !
You can use either IPsec VPNs or a OpenVPN based VPN. The pfSense gives you both options !

Update:
I followed this article and set up VPN: link

Now, i have a VPN that wotks with my Android phone, but my Windows 10 PC cant connect to it.

The Windows 10 log says 788 error when i try to connect to the server.

The ipsec log:

Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (368 bytes)
Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ SA V V V V V V ]
Dec 23 18:34:38 charon 07[CFG] <5> looking for an IKEv1 config for 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79...2a01:36d:1000:2bbe::1003
Dec 23 18:34:38 charon 07[CFG] <5> candidate: %any...%any, prio 24
Dec 23 18:34:38 charon 07[CFG] <5> found matching ike config: %any...%any with prio 24
Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:01
Dec 23 18:34:38 charon 07[IKE] <5> received MS NT5 ISAKMPOAKLEY vendor ID
Dec 23 18:34:38 charon 07[IKE] <5> received FRAGMENTATION vendor ID
Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: fb:1d:e3💿f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
Dec 23 18:34:38 charon 07[ENC] <5> received unknown vendor ID: e3:a5:96:6a:76:37:9f:e7:07:22:82:31:e5:ce:86:52
Dec 23 18:34:38 charon 07[IKE] <5> 2a01:36d:1000:2bbe::1003 is initiating a Main Mode IKE_SA
Dec 23 18:34:38 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Dec 23 18:34:38 charon 07[CFG] <5> selecting proposal:
Dec 23 18:34:38 charon 07[CFG] <5> proposal matches
Dec 23 18:34:38 charon 07[CFG] <5> received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Dec 23 18:34:38 charon 07[CFG] <5> configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 23 18:34:38 charon 07[CFG] <5> selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384
Dec 23 18:34:38 charon 07[IKE] <5> sending XAuth vendor ID
Dec 23 18:34:38 charon 07[IKE] <5> sending DPD vendor ID
Dec 23 18:34:38 charon 07[IKE] <5> sending FRAGMENTATION vendor ID
Dec 23 18:34:38 charon 07[ENC] <5> generating ID_PROT response 0 [ SA V V V ]
Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (140 bytes)
Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (180 bytes)
Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ KE No ]
Dec 23 18:34:38 charon 07[CFG] <5> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Dec 23 18:34:38 charon 07[ENC] <5> generating ID_PROT response 0 [ KE No ]
Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (164 bytes)
Dec 23 18:34:38 charon 07[NET] <5> received packet: from 2a01:36d:1000:2bbe::1003[500] to 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] (92 bytes)
Dec 23 18:34:38 charon 07[ENC] <5> parsed ID_PROT request 0 [ ID HASH ]
Dec 23 18:34:38 charon 07[CFG] <5> looking for pre-shared key peer configs matching 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79...2a01:36d:1000:2bbe::1003[2a01:36d:1000:2bbe::1003]
Dec 23 18:34:38 charon 07[CFG] <5> candidate "bypasslan", match: 1/1/24 (me/other/ike)
Dec 23 18:34:38 charon 07[IKE] <5> found 1 matching config, but none allows pre-shared key authentication using Main Mode
Dec 23 18:34:38 charon 07[IKE] <5> queueing INFORMATIONAL task
Dec 23 18:34:38 charon 07[IKE] <5> activating new tasks
Dec 23 18:34:38 charon 07[IKE] <5> activating INFORMATIONAL task
Dec 23 18:34:38 charon 07[ENC] <5> generating INFORMATIONAL_V1 request 3049540974 [ HASH N(AUTH_FAILED) ]
Dec 23 18:34:38 charon 07[NET] <5> sending packet: from 2a01:36c:1000:2bbe:6e3b:e5ff:fe0a:4d79[500] to 2a01:36d:1000:2bbe::1003[500] (92 bytes)
Dec 23 18:34:38 charon 07[IKE] <5> IKE_SA (unnamed)[5] state change: CONNECTING => DESTROYING

[Solved]

VPN-->IPsec-->Mobile Clients-->Client Configuration-->Network List:
[uncheck] Provide a list of accessible networks to clients

@tbaror said in Tunnel issue with Pfsense on premise to aws:

Dec 17 16:27:10 charon 11[CFG] <con10000|6711> looking for a child config for 10.13.0.0/16|/0 === 10.110.0.0/16|/0
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for us:
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.13.0.0/16|/0
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> proposing traffic selectors for other:
Dec 17 16:27:10 charon 11[CFG] <con10000|6711> 10.109.0.0/16|/0
Dec 17 16:27:10 charon 11[IKE] <con10000|6711> traffic selectors 10.13.0.0/16|/0 === 10.110.0.0/16|/0 unacceptable
Dec 17 16:27:10 charon 11[IKE] <con10000|6711> failed to establish CHILD_SA, keeping IKE_SA
Dec 17 16:27:10 charon 11[ENC] <con10000|6711> generating CREATE_CHILD_SA response 53 [ N(TS_UNACCEPT) ]

Looks like the AWS side is set for 10.13.0.0/16 <-> 10.110.0.0/16 but your local config is set for 10.13.0.0/16 <-> 10.109.0.0/16. It doesn't match so that child SA (P2) request is rejected.

Thank you for your reply,
here's the scenario:
I have 4 subnets

LAN: 172.16.9.0/24 MGMT: 172.16.121.0/24 LAB1: 172.16.122.0/24 LAB2: 172.16.123.0/24
I want to route internet traffic for one of my servers in "LAB2" through IPSec, when the tunnel comes up the internet traffic for this server goes through the IPSec tunnel and works perfectly, but none of my machines in the other subnets cannot communicate with that server, I've tried everything in firewall rules but not hope.

Keep in mind that in case your pinged devices are Winblows machines that ICMP protocol (Ping) is fully blocked there by default in the local firewall.
You explicitly need to allow ICMP traffic there in the setup ! (local and remote IP Ranges to "any" or your specific source lan addresses)
Also the Winblows firewall generally blocks all traffic which has different source IPs then the local network they are in. Keep that in mind if you need access to file sharing or printer service etc.
So best practice is always to ping the local router interfaces or destination IPs from devices without firewall like printers, wlan ap's etc. from the Diagnostics --> Ping menü. This also makes sense cause you can alter the source IPs to your local LANs here.

@awebster Thank you so much, great info.

I've abandoned S2S for now, as I've spent way too much time on it and have to deal with a bunch of stuff that has piled up in the meantime.

Mobile client is working (almost) perfectly, and I'm super pleased with the throughput.

A couple responses:

oh boy have i rebooted. Managed switch is telling me 140 link state changes -- since the last time i rebooted the switch. :-) Mostly because I've read some messages with confusion about how to properly restart IPSEC, and reboot means it for sure restarted. MTU... no packet loss using Mobile Client, all defaults. My cable modem (remote side) is 1500. HQ is a fiber connection that I don't manage, but between pfSense and the USG Pro i have confirmed that it's 1500. Even so, seems like I should have to account for encapsulation overhead.... but it seems to be working. I mean, maybe the USG is just handling the fragmentation well, but I feel like I would not have the performance that I'm getting if so.

Cheers