IPsec tunnel established, no traffic passsing through

tacfit

I followed the tutorial for creating an IPsec tunnel between a static and a dynamic IP. The tunnel is up, and I can see the IPsec status on both ends, however I can't pass any traffic through it. Specifically, I've been trying to ping things on either side, and nothing is going through.

I've got wide open rules on the IPSec interface on both ends. (* * *  * kinda rules.) Is there something else I'm missing?

I'm using 1.2 Beta 1.

tacfit

I'm seeing in the logs of my static end:

racoon: ERROR: such policy does not already exist: "192.168.0.0/22[0] 192.168.5.0/24[0] proto=any dir=out"
racoon: ERROR: such policy does not already exist: "192.168.5.0/24[0] 192.168.0.0/22[0] proto=any dir=in"

tacfit

Any suggestions?

tacfit

In lieu of any advice, I've checked everything over and over again. I can see the connection being made in the IPSec logs:

racoon: ERROR: such policy does not already exist: "192.168.0.0/22[0] 192.168.5.0/24[0] proto=any dir=out"
Jul 23 12:17:25 racoon: ERROR: such policy does not already exist: "192.168.5.0/24[0] 192.168.0.0/22[0] proto=any dir=in"
Jul 23 12:17:25 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.0.1.5[0]->99.247.78.40[0] spi=240462761(0xe552ba9)
Jul 23 12:17:25 racoon: INFO: IPsec-SA established: ESP/Tunnel 99.247.78.40[0]->10.0.1.5[0] spi=86219520(0x5239b00)
Jul 23 12:17:25 racoon: INFO: no policy found, try to generate the policy : 192.168.5.0/24[0] 192.168.0.0/22[0] proto=any dir=in
Jul 23 12:17:25 racoon: INFO: respond new phase 2 negotiation: 10.0.1.5[0]<=>99.247.78.40[0]
Jul 23 12:17:25 racoon: INFO: ISAKMP-SA established 10.0.1.5[500]-99.247.78.40[500] spi:b21b37234f24d7b4:9d3b249a236f8242
Jul 23 12:17:25 racoon: INFO: received Vendor ID: DPD
Jul 23 12:17:25 racoon: INFO: begin Aggressive mode.
Jul 23 12:17:25 racoon: INFO: respond new phase 1 negotiation: 10.0.1.5[500]<=>99.247.78.40[500]

(display backwards, most recent at top). On the other firewall things look good too, but still I can't get any traffic to go across.

On the dynamic IP pfsense, I've created wide open rules for all the interfaces. On the static pfsense I've made a wide open rule for IPSec only, and don't know if anything else is necessary.

hoba

Why does one of the ends have a private IP-adress? Is there some double natting going on and one end is behind another router/firewall? If so make sure this router supports IPSEC passthrough.

tacfit

My static end is behind a router provided by my ISP. There's no security on it, it's wide open.

hoba

It must be at least natting which can cause problems as you have a private IP behind it.