How to set SPD's/traffic selectors in IPsec?

fonzane · May 9, 2022, 1:48 PM

stephenw10 · May 9, 2022, 1:58 PM

Hmm, that looks correct. What version of pfSense is that?

fonzane · May 9, 2022, 2:12 PM

@stephenw10 2.6 the latest stable version

stephenw10 · May 9, 2022, 2:19 PM

Try setting the tunnel subnet IPs as type 'Address'. They are a point to point connection and do not need to be set with a subnet like that.

Steve

fonzane · May 9, 2022, 2:41 PM

@stephenw10 I just tried that, but it didn't help solve the problem.

stephenw10 · May 9, 2022, 2:52 PM

Hmm, what you have there is exactly what I expect to see.

What does the config file look like after you edited it that allowed it to connect?

Are you able to see the config the other side used in AWS?

Steve

fonzane · May 9, 2022, 3:16 PM

@stephenw10
I posted a picture of the relevant parts of the swanctl.conf file in the post above.

The working solution contained the following lines:

remote_ts = 169.254.40.2/30,10.17.0.0/16
local_ts = 169.254.40.1/30,10.61.0.0/16

These latter addresses are the specifications for the local ip-addresses for each network. Their network will internally have 10.17.0.0/16 and ours 10.61.0.0/16.

I asked them for access to their testing environment. Thank you already so much for your assistance!‍

stephenw10 · May 9, 2022, 3:22 PM

Hmm, that is not routed mode set of traffic selectors. Those networks should only exist in the routing table not the ipsec config. In routed mode all traffic can be carried, hence 0.0.0.0/0 is set there.

You can try using policy based (tunnel mode) and just add two P2s for those two sets of subnets.

But the screenshot from the AWS test clearly shows it using 0.0.0.0/0. So maybe the other is not configured the same for your connection.

Does the other side try to establish the tunnel of you set your side to responder only? That can often provide useful log data to solve this sort of problem.

Steve

fonzane · May 10, 2022, 12:16 PM

@stephenw10 Hi Steve,

the screen I posted earlier shows my p2 configuration. It is exactly the same as the screenshot they sent me except they had "Address" instead of "Network" in their select-element, like you suggested. So I tried that too, but it didn't change anything.

@fonzane said in How to set SPD's/traffic selectors in IPsec?:

Is it possible to use a policy based tunnel with bgp routing?

@stephenw10 said in How to set SPD's/traffic selectors in IPsec?:

But the screenshot from the AWS test clearly shows it using 0.0.0.0/0. So maybe the other is not configured the same for your connection.

That's something I don't understand at all...

The other side doesn't try to establish the VPN connection. They sent me their logs which I put in the first post. It's just the traffic selectors as it seems. When I once managed to manually edit the config, everything worked. Here is also a screenshot of the connection status when I manually edited the swantctl.conf with

remote_ts = 169.254.40.2/30,10.17.0.0/16
local_ts = 169.254.40.1/30,10.61.0.0/16

Btw. is there a way to disable IPv6 for this?

stephenw10 · May 10, 2022, 12:59 PM

Yes, you can add those two sets of subnets as P2s in a policy based config and it will work. The BGP session will use the APIPA addresses and the the routed traffic will be carried by the other P2. It will of course fail if BGP passes other routes since they are not carried.

To allow traffic to/from those APIPA addresses, which are blocked by default, be sure to enable it:
https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#allow-apipa

Steve