Hi Konstanti,

have you seen the data ?

regards

Maurizio

@rodrigocar said in IPSEC gateway loop and high latency:

We have a PFsense as firewall+VPN and use IPSec to close a conection with our datacenter (Site to Site).
We notice a high latency beetwen us and our servers on the datacenter.
This wasn't happening before, the problem started about 1-2 months ago.
The ping response stays on 150ms and if I run a traceroute I notice that it pass through the GW (192.168.0.254) - 0.358ms, loops again to the GW (192.168.0.254) but the response time is 160ms and then arrives on the other side with a response time of 164ms.
I've ruled out hardware and firewall rules problems because I installed PFsense on another machine from scratch and did only the IPSec configuration, the results was the same.
I attached a print with the results.

FYI

PFSense 2.4.4-RELEASE-p3 Hardware
CPU Type Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
8 CPUs: 1 package(s) x 4 core(s) x 2 hardware threads
Memory - 16GB

Any help is welcome... thanks everyone!!!
ipsec.png

Anyone can help me with that problem?

The tests I made was using UDP.

I did the same with TCP ans it seems there is a mimitation at 25mb/s

udp test with public :

root@client ~ # iperf -c public_ip -b 400M -u ------------------------------------------------------------ Client connecting to public_ip, UDP port 5001 Sending 1470 byte datagrams, IPG target: 28.04 us (kalman adjust) UDP buffer size: 8.00 MByte (default) ------------------------------------------------------------ [ 3] local private_ip port 10012 connected with public_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 500 MBytes 419 Mbits/sec [ 3] Sent 356661 datagrams [ 3] Server Report: [ 3] 0.0-10.0 sec 485 MBytes 406 Mbits/sec 0.064 ms 10375/356661 (2.9%) [ 3] 0.00-10.02 sec 18 datagrams received out-of-order root@client ~ #

udp test with private ip :

root@client ~ # iperf -c private_ip -b 400M -u ------------------------------------------------------------ Client connecting to private_ip, UDP port 5001 Sending 1470 byte datagrams, IPG target: 28.04 us (kalman adjust) UDP buffer size: 8.00 MByte (default) ------------------------------------------------------------ [ 3] local private_ip port 33804 connected with 192.168.1.3 port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 500 MBytes 419 Mbits/sec [ 3] Sent 356660 datagrams [ 3] Server Report: [ 3] 0.0-10.3 sec 283 KBytes 226 Kbits/sec 611.953 ms 356462/356659 (1e+02%) root@client ~ #

tcp test with public ip :

root@client ~ # iperf -c public_ip -b 400M ------------------------------------------------------------ Client connecting to public_ip, TCP port 5001 TCP window size: 85.0 KByte (default) ------------------------------------------------------------ [ 3] local private_ip port 52622 connected with public_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 30.4 MBytes 25.4 Mbits/sec root@client ~ #

tcp test with private ip :

root@client ~ # iperf -c private_ip -b 400M ------------------------------------------------------------ Client connecting to private_ip, TCP port 5001 TCP window size: 64.0 KByte (default) ------------------------------------------------------------ [ 3] local private_ip port 12658 connected with private_ip port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 29.5 MBytes 24.7 Mbits/sec root@client ~ #

Very strange.
Any idea ?

I could solve the problem:
The configured remote address was wrong.
But pfsense seems to have a standard config, because in the log it says, that pfsense is using %any config or something.

Is that normal?

Thanks!
Ketanest

The best thing to do would be to figure out why it's disconnecting and correct that. The logs would be helpful with that.

Failing that, you can use the ipsec up and ipsec down command on 2.4.x to up/down single tunnels, for reference look at how it's done when clicking the buttons on on status_ipsec.php https://github.com/pfsense/pfsense/blob/RELENG_2_4_4/src/usr/local/www/status_ipsec.php#L54

On 2.5.0 it's similar but there it uses swanctl --initiate and swanctl --terminate

@coreybrett
PF uses an enc0 interface to filter all ipsec traffic. (classic ipsec tunnel, VTI).

em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 08:00:27:7e:d9:81 hwaddr 08:00:27:7e:d9:81 inet6 fe80::a00:27ff:fe7e:d981%em1 prefixlen 64 scopeid 0x2 inet 10.3.100.1 netmask 0xffffff00 broadcast 10.3.100.255 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> media: Ethernet autoselect (1000baseT <full-duplex>) status: active enc0: flags=41<UP,RUNNING> metric 0 mtu 1536 nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL> groups: enc

Therefore, all filtering rules are created on the IPSEC tab ( including for VTI).

@AceStrider1 said in Foward all public IP traffic to a remote server via IPsec:

10.30.10.31

Hello
To solve this problem, I would recommend that you use a routed connection type.
For example, OpenVpn, GRE over IPSEC or VTI.
Then it will be possible to redirect all traffic coming on 64.64.64.26 to the server 10.30.10.31.
It is necessary to use NAT OUTBOUND on the tunnel interface because otherwise the traffic from 10.30.10.31 will return through 32.32.32.32.
This is a feature of the PF implementation ( the reply-to function does not work on virtual interfaces)

Here is an example of traffic forwarding and using outgoing NAT ( Linux Iptables)
through a GRE tunnel.
37.XXX.YYY.ZZZ = 64.64.64.25
192.168.1.230 = 10.30.10.31
10.10.100.2 = internal ip address of the GRE interface.
prerouting = port forwarding
postrouting = NAT OUTBOUND

*nat :PREROUTING ACCEPT [0:0] -A PREROUTING -d 37.XXX.YYY.ZZZ -p tcp -m multiport --destination-port 25,465,587,993 -j DNAT --to-destination 192.168.1.230 :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -o tun100 -p tcp -m multiport --destination-port 25,465,587,993 -d 192.168.1.230 -j SNAT --to-source 10.10.100.2

Issue resolved,
It seems that AES-256 doesn't translate NAT/BINAT with DH-Group 2
I changed the DH-Group to 14 and the issue solved.

Encountered the same error messages and symptoms. I had misconfigured the PFS on one of the Phase 2 connections. Setting both to the same option resolved the issue.

What I want to do is to remove the requirement for my PC at home to have to connect manually as a client when I want to access my work's VPN.

Doing so without having (written) permission to do so from your company or institution would most certainly breaking several guidelines or compliance rules. And I can tell you that network/security/IT guys wouldn't be very happy with you if they would find out, that you simply hooked your full home network into their corporate network. You simply don't. Had to do that 15y ago for a CEO. He nearly wiped out his company network by his son running amok on his private network that he forced us to hook into the corporate one. Simply no.

It is a pretty old post but would like to add what I did recently (not perfect but working to some level) feedback would be nice to make it perfect.
What I did is mentioned below.

ON LOCAL SIDE: Create a gateway group on the Pfsense i.e GW1_GW2 change priority to Tier 1 & Tier 2 respectively.
Assume Tier 1 GW IP is 10.10.10.10
Assume Tier 2 GW IP is 20.20.20.20
Local Subnet: 172.16.0.0/24

Create Phase1 & Assign GW1_GW2 Gateway as Interface to IPSec
GW1_10.10.10.10 (Primary-Alive)
GW2_20.20.20.20 (Secondary-idle)
Add Phase 2 Local Subnet --> 172.16.0.0/24 <--- Remote Subnet : 192.168.0.0/24

ON Remote Side: Configure Two tunnels
Phase1 for 10.10.10.10 --> Phase2 Local Subnet: 192.168.0.0/24 <-- Remote Subnet 172.16.0.0/24 (Primary-Alive)
Phase1 for 20.20.20.20 --> Phase2 Local Subnet: 192.168.0.0/24 <-- Remote Subnet 172.16.0.0/24 (Secondary-idle)

Now the tunnel will establish using Tier1 IP as Peer IP, if the Tier1 Connection is down, it'll establish using Tier2 IP.
I have tested this scenario, it works fine, it Failover to Tier 2 IP but when the Tier2 IP is also down OR the Tier1 IP is back online then it won't switch back to Tier1 IP. to force change I have to restart IPSec Service.

is there any way to Force IPSec Service reload upon disconnection?

@Konstanti Thank you Konstani. The problem is resolved with
-Enable Replay Detection checked
-Enable Perfect Forward Secrecy checked
-Auto-Negociated checked

I finally got it to work, roughly these are the settings ( I know they are the least secure - but they work)
P1: 3des,md5, dh 2
P2:3des,md5.dh2,esp
aggressive yes
DPD: yes
monitor MUST be used. autokey ike advanced: check vpn monitor+optimized+rekey
set proxy-id to class C networks