Netgate 7100 22.01 Upgrade Broke VPN Traffic
-
I have a Netgate 7100 now running 22.01 that was upgraded over the weekend. There were no issues in the upgrade and it went smoothly. On this 7100, I have several Virtual IPs, and three VPN's setup. Two of those VPNs are IPSec and one is Wireguard, all site to site. The wireguard VPN is to another netgate device and the two IPSec terminate to Ubiquiti equipment.
All three of the VPNs are connected fine but none of them are passing traffic. I have OpenVPN (for mobile users) also setup and those clients are working without issue. It's just anything behind these three VPNs that seem to be having issues.
Other than the upgrade, no configuration changes have been made and nothing is showing in the logs, no blocked traffic, no issues on the VPNs.
Does anyone have a clue what to look for? I can't make heads or tails of it.
Edit: I've also opened a ticket with support but thought I'd try here as well.
-
There is an issue with VPNs on interfaces where VIPs exist:
https://redmine.pfsense.org/issues/11545If they are using a VIP they will be fine. If they are using the interface IP it may fail. However the tunnel would fail to establish if that were the case.
Are the IPSec tunnels using policy or route mode?
Are they comming up at P1 and P2?
Anything shown blocked in the firewall logs?
Conflicting route been added?
Steve
-
@stephenw10 They are using VIPs. IPSec tunnels are route mode. P1 and P2 are up. Nothing is showing blocked in the logs and no routes have been added to my knowledge.
This was all working on 21.05.2
-
Replied on your ticket.
Just for reference the IPSec tunnels you have are policy based (tunnel mode).
And the issue looks like it's asymmetry from the 1:1 NAT rules acting on the VIPs IPSec is using. But we shall see when that is removed and the old states are cleared.
Steve
-
@stephenw10 Thanks for the clarification and I appreciate the help.
