How to set SPD's/traffic selectors in IPsec?

fonzane

Hello everyone,

I'm trying to establish a dynamically routed IPsec-Tunnel between two sites. The remote site throws the error at me that the traffic selectors are unacceptable:
Peer proposed traffic-selectors are not in configured range.
local-ip: ipv4(0.0.0.0-255.255.255.255),ipv6(::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff), remote-ip: ipv4(0.0.0.0-255.255.255.255),ipv6(::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff).

I find these traffic selectors in the swanctl.conf file:

con1 {
  ...
  children {
    con1 {
      ...
      remote_ts = 169.254.40.2/30,0.0.0.0/0,::/0
      local_ts = 169.254.40.1/30,0.0.0.0/0,::/0
      ...
    }
  }
}

The first two IP-addresses are correct, I specify them in the P2-entry. But I can't figure out how to configure the other ranges. I once manually edited the config file and added the correct addresses (which I shouldn't) and the connection got established successfully.

But how can I configure the traffic selectors in the WebGUI? I found some information in the SPD-Tab under Status > IPsec > SPD's:

Any help will be greatly appreciated!

stephenw10

In route based IPSec the tunnel can carry any traffic so the traffic selectors show that.

Are you sure you want route based? The actual established tunnel shows it carrying only a /16 from each side and the APIPA transport. That looks more like policy based IPSec.

What is it connecting to?

Steve

fonzane

Hello @stephenw10 thank you for your answer.

Yes, I'm supposed to build an IPsec connection to a remote end via VTI because it is supposed to use BGP as it's routing protocol. I don't know what device I'm connecting to as it is in the hands of the telekom. They built a testing environment on an AWS using pfSense and a route based IPsec tunnel and made a successfull connection.

This is how it looks for them:

And this is how it looks for me:

I copied their P1 and P2 configurations. I'm confused...

stephenw10

What does your P2 config look like? It looks like you might not be using routed mode.

fonzane

@stephenw10 indeed I am

stephenw10

Hmm, that looks correct. What version of pfSense is that?

fonzane

@stephenw10 2.6 the latest stable version

stephenw10

Try setting the tunnel subnet IPs as type 'Address'. They are a point to point connection and do not need to be set with a subnet like that.

Steve

fonzane

@stephenw10 I just tried that, but it didn't help solve the problem.

stephenw10

Hmm, what you have there is exactly what I expect to see.

What does the config file look like after you edited it that allowed it to connect?

Are you able to see the config the other side used in AWS?

Steve

fonzane

@stephenw10
I posted a picture of the relevant parts of the swanctl.conf file in the post above.

The working solution contained the following lines:

remote_ts = 169.254.40.2/30,10.17.0.0/16
local_ts = 169.254.40.1/30,10.61.0.0/16

These latter addresses are the specifications for the local ip-addresses for each network. Their network will internally have 10.17.0.0/16 and ours 10.61.0.0/16.

I asked them for access to their testing environment. Thank you already so much for your assistance!‍

stephenw10

Hmm, that is not routed mode set of traffic selectors. Those networks should only exist in the routing table not the ipsec config. In routed mode all traffic can be carried, hence 0.0.0.0/0 is set there.

You can try using policy based (tunnel mode) and just add two P2s for those two sets of subnets.

But the screenshot from the AWS test clearly shows it using 0.0.0.0/0. So maybe the other is not configured the same for your connection.

Does the other side try to establish the tunnel of you set your side to responder only? That can often provide useful log data to solve this sort of problem.

Steve

fonzane

@stephenw10 Hi Steve,

the screen I posted earlier shows my p2 configuration. It is exactly the same as the screenshot they sent me except they had "Address" instead of "Network" in their select-element, like you suggested. So I tried that too, but it didn't change anything.

@fonzane said in How to set SPD's/traffic selectors in IPsec?:

Is it possible to use a policy based tunnel with bgp routing?

@stephenw10 said in How to set SPD's/traffic selectors in IPsec?:

But the screenshot from the AWS test clearly shows it using 0.0.0.0/0. So maybe the other is not configured the same for your connection.

That's something I don't understand at all...

The other side doesn't try to establish the VPN connection. They sent me their logs which I put in the first post. It's just the traffic selectors as it seems. When I once managed to manually edit the config, everything worked. Here is also a screenshot of the connection status when I manually edited the swantctl.conf with

remote_ts = 169.254.40.2/30,10.17.0.0/16
local_ts = 169.254.40.1/30,10.61.0.0/16

Btw. is there a way to disable IPv6 for this?

stephenw10

Yes, you can add those two sets of subnets as P2s in a policy based config and it will work. The BGP session will use the APIPA addresses and the the routed traffic will be carried by the other P2. It will of course fail if BGP passes other routes since they are not carried.

To allow traffic to/from those APIPA addresses, which are blocked by default, be sure to enable it:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#allow-apipa

Steve