I can ping both directions but only access servers one way...?
-
@viragomann Yes, site C being the pfsense side, the only thing to do there is to set the static route 172.168.1.0/24 to the IPSecVTI Gateway that was automagically created.
On Sophos it looks pretty similar and it's been quite obvious when setting this up a few times that whenever I forgot this part, I don't get near where I am now...
-
I have been trying to go through the logs in Sophos as well and everything I can find on that side shows green as in all packets are passed by the correct fw and nat rules for this.
-
When trying to log in via SSH on a Linux machine on Site C , I get the following...
Simlar to before but it looks like there is a response initally from 192.168.1.31?
-
@Gblenn
So even if the destination machine was sending an ACK, the SYN packet is re-transmitted.I'd suspect, that the ACK packet does not arrive at the machine, which initiated the connection. But why?
BTW: I noticed, that the LAN at A is a public network range.
However, this shouldn't matter if the routes are added properly. -
@viragomann said in I can ping both directions but only access servers one way...?:
@Gblenn
So even if the destination machine was sending an ACK, the SYN packet is re-transmitted.It appears that way doesn't it... however having run the same test again several times I don't see the ACK coming back. So perhaps it was an anomaly?
I'd suspect, that the ACK packet does not arrive at the machine, which initiated the connection. But why?
BTW: I noticed, that the LAN at A is a public network range.
However, this shouldn't matter if the routes are added properly.Ah you are right, it is in the public IP range... I made the simplest possible change from 192 to 172 and I should have changed to 16 as well. But I don't suppose pfsense would care? And it's working towards site B anyway...
I started thinking there was some sync issue since site A and C are connected via a switch. Site A is for testing purposes at the moment. But latency is below 1 ms when pinging between them. So I added a limiter in order to add a bit of latency to get it closer to what I have between the other sites, but that doesn't seem to change things.
-
I have sort of given up on getting this to work, for now at least. Ended up deploying Wireguard on a VM on the Sophos LAN and have a connection going that way instead...
-
@viragomann
So this is definitely a 24.03 thing since a change to 2.7.2 solved the issue immediately... No change in the configuration on either side, just a switch to CE.
And I guess I have to see if the patches I just found out about for IPsec VTI will fix the issue. -
And now it's working also on 24.03 after implementing patches for Redmine #15449, #15430 and #15606...
-
@Gblenn
Great info. Thanks.
I never had this issue, even running multiple IPSec site-to-site connections to other routers than pfSense and didn't apply IPSec patches. -
@viragomann Well, first time I have used IPSec since Sophos doesn't do WG...
One thing to note though, this is Routed VTI connection, which is different from "Tunnel IPv4" that you have as default Mode in pfsense...
-
@Gblenn
Ah ya, you mentioned above.
I never set up a VTI to be honest, I just have some small knowledge about from the docs. -
@viragomann Well, since I couldn't get the default one to work, I tried VTI and it worked. Not sure what I did wrong with the other method but I did find VTI a bit more like the WG tunnels I have set up in the past. With the gateway and routing settings at least...
-
G Gblenn referenced this topic on