@Konstanti

I attach a network diagram of my setup to make it clearer.

This is what is weird, when I connect to the VPN from my phone on 4G (option 1 in the attached diagram), I don't get errors any errors just timeouts. I can access everything on the internal LAN and internet, except, I cannot login into certain webservices. When I enter my password and press login, it just stalls - the browser says it is "thinking / loading" and then nothing happens. After a long time I get a "Server not found" error in the browser.

However, when I am on my phone on the internal wifi over the VPN (option 2), then I click login and get redirected instantly to the dashboard of the webapp. I can also reach the webapp from outside my network as I have a reverse proxy (option 3), and this works fine.

The reason I want to set up the Mobile IPSec VPN is that I want to close down the reverse proxy I have set up so that I can only access my webservices over the VPN and not anymore expose them directly to the internet.

0_1549268966959_7037c544-acec-48e5-bea3-45c0e02ae4b2-image.png

I'm assuming this is a feature that just isn't supported by pfSense yet then. That would be a safe assumption where VTI was just introduced in 2.4.4 I'm going to test the native IPv6 P1 and see if that changes anything, if not, I'll look at some other manner of carrying and distributing my IPv6 routes. I may just end up using a GIF tunnel for my IPv6, and I should still be able to use OSPF6 on the GIF interface.

Yup. Windows 10 requires manual manipulation of the client routes in powershell.

It's an extremely helpful feature. 🙄

I click disconnect & reconnect a few times and with some luck out of 6 clicks it will register/enable the 4 P2's.

Fixed it, Layer 8 issue... 🤦
somehow mixed up the public IP addresses of the phase 1 on the azure side.

Thanks for the help though :)

The current defaults should be good.

The current defaults are IKE SA, IKE CHILD SA, and Configuration Backend to Diag. Everything else Control.

Thanks, it increased to about 27-28mbps average with peaks of 30mbps

Any more tips to squeeze a little more speed? Thanks!

@vistatech said in routing specific packets through IPSEC gre tunnel:

10.1.1.20

Hey
And why is outgoing NAT used ?
Try disabling it . I have a similar scheme and everything works fine without NAT.
The question such, Pfsense can ping a host 10.1.1.20 ?

Have not used sonicwall in many many years. But since I create pfx with openssl all the time and use these on other devices that are road warrior connections. IOS devices for example - it shouldn't be a problem. An openvpn client is an openvpn client in the big picture.

Or you could just use FreeRadius like I suggested and not have to mess about with text files.

@lmhaydii said in IPSec connection established and trafic is outgoing, but no ongoing response:

@derelict thank you. How can I determine with certitude that thier response or thier request are not arriving to my firewall ? There is any command to show up that ?

Yes. A packet capture. You have done that. That would be enough for me.

If you want more certainty, pcap on WAN for protocol ESP. You will see your pings (encrypted) go out but nothing come back from their side.

If you are going across NAT (NAT-T) you will need to capture UDP 4500 instead of protocol ESP.

32ms across IPsec?

If so it sounds like you're getting right about what you should for a single-stream TCP session with 32ms latency and a 128KB buffer.

That is probably a little high since you have the 30Mbit upstream at one end and certainly not a 1460 MSS across IPsec.

Bandwidth-delay Product and buffer size BDP (1000 Mbit/sec, 32.0 ms) = 4.00 MByte required tcp buffer to reach 1000 Mbps with RTT of 32.0 ms >= 3906.2 KByte maximum throughput with a TCP window of 128 KByte and RTT of 32.0 ms <= **32.77 Mbit/sec.**

You could try giving a -P4 or -P8 to the iperf client to see if running multiple streams helps.

Or switch to UDP and see how high you can take the -b parameter before you start experiencing loss.

@mountainlion

I'm using 1200 as MSS because it's required by my datacenter (DoS Protection)

Thanks.

Turn out running an outdated pfSense version wasn't helping my case.

Now I just need to figure out how to set it up so it works with Azure.

You mean like this?

https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html

Jan 11 10:21:26 charon 05[NET] <con1000|17> received packet: from 173.220.x.x[500] to 50.196.x.x[500] (380 bytes)
Jan 11 10:21:26 charon 05[ENC] <con1000|17> parsed QUICK_MODE request 3356035729 [ HASH SA No KE ID ID ]
Jan 11 10:21:26 charon 05[ENC] <con1000|17> received HASH payload does not match
Jan 11 10:21:26 charon 05[IKE] <con1000|17> integrity check failed
Jan 11 10:21:26 charon 05[ENC] <con1000|17> generating INFORMATIONAL_V1 request 3233859265 [ HASH N(INVAL_HASH) ]
Jan 11 10:21:26 charon 05[NET] <con1000|17> sending packet: from 50.196.x.x[500] to 173.220.x.x[500] (76 bytes)
Jan 11 10:21:26 charon 05[IKE] <con1000|17> QUICK_MODE request with message ID 3356035729 processing failed
Jan 11 10:21:26 charon 05[NET] <con1000|17> received packet: from 173.220.x.x[500] to 50.196.x.x[500] (92 bytes)
Jan 11 10:21:26 charon 05[ENC] <con1000|17> parsed INFORMATIONAL_V1 request 2703109558 [ HASH D ]
Jan 11 10:21:26 charon 05[IKE] <con1000|17> received DELETE for IKE_SA con1000[17]
Jan 11 10:21:26 charon 05[IKE] <con1000|17> deleting IKE_SA con1000[17] between 50.196.x.x[50.196.x.x]...173.220.x.x[173.220.x.x]
Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: ESTABLISHED => DELETING
Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: DELETING => DELETING
Jan 11 10:21:26 charon 05[IKE] <con1000|17> IKE_SA con1000[17] state change: DELETING => DESTROYING

Your side does not like the traffic selector in the P2 being sent by the other side.

Please send the output from each of these on each node - the one that's working and the one that isn't:

swanctl --list-conns

swanctl --list-sas

cat /var/etc/ipsec/ipsec.conf

Send them in chat or I can send you a nextcloud upload link.

@konstanti The secondary Peer with the 96.65.x.x address is the office we setup to test the connection. The 96.65.x.x is the address for the SG-3100 that works, while the 50.196 address is the SG-3100 I'm having trouble with. The 173.220 address is the address for the Cisco router.

@sgw said in IPSEC tunnel config works on 2.4.3p1, not on 2.4.4p1:

seems like: we then tried swapping pfsenses again and additionally rebooted the Hitron "modem" in front of the pfsense. Tunnel came up immediately. So I assume there are some MAC-based filters built at bootup or something like that.

Right. On the modem. You always have to reboot an upstream ISP device when you change the hardware behind it. Or at least it's a good idea especially if you have problems changing devices around.

I usually:

Disconnect the WAN patch cable between the modem and the WAN port Power cycle the upstream device and let it sync up and "go green" again Connect the modem to the new WAN port.

This is primarily for normal US cable modems. Any ISP "Residential Gateway" might have other requirements.