VPN established but no traffic through the tunnel

morbus · Nov 5, 2008, 7:24 PM

Mine is

# sysctl net.enc
net.enc.out.ipsec_bpf_mask: 0000000000
net.enc.out.ipsec_filter_mask: 0000000000
net.enc.in.ipsec_bpf_mask: 0000000000
net.enc.in.ipsec_filter_mask: 0x00000002

I think it is net.enc.out.ipsec_filter_mask should be 1 rather than 0 as this fixes it on mine

sysctl net.enc.out.ipsec_filter_mask=0x00000001

eri-- · Nov 5, 2008, 2:09 PM

0 should disable filtering altogether on outgoing packets since you really cannot write rules for outgoing packets unless from floating rules tab.

jzsjr · Nov 5, 2008, 9:06 PM

Here is mine:

Accounts · Nov 5, 2008, 9:12 PM

Mines the same jzsjr….Same problem as the rest in this topic

sullrich · Nov 5, 2008, 9:58 PM

Try changing the sysctl's to:

sysctl net.enc.out.ipsec_bpf_mask=0x00000002
sysctl net.enc.out.ipsec_filter_mask=0x00000002
sysctl net.enc.in.ipsec_bpf_mask=0x00000001
sysctl net.enc.in.ipsec_filter_mask=0x00000001

jzsjr · Nov 5, 2008, 10:03 PM

Where does one change this?

sullrich · Nov 5, 2008, 10:07 PM

From a shell or SSH session ( option 8 ) or from Diagnostics -> Command -> Shell command

eri-- · Nov 5, 2008, 10:09 PM

upgrade to latest snapshot.

jzsjr · Nov 5, 2008, 10:14 PM

Okay. I wasn't sure if it was a command or located in sysctl.conf (but there is nothing really in that file).

thanks,
Jim

jzsjr · Nov 5, 2008, 10:32 PM

Thanks Sullrich. Those commands did the trick.

Ermal, not sure what is up with the auto updater now but this is what I get:

Auto upgrade aborted.

Downloaded SHA256:

Needed SHA256: bad9308e0d492d9701e60766cf747777024b005cdad4819bba193fa8d7a6dfa8

Also I don't know where the 2.0 files are now for a manual upgrade. When I go to the old listing under _1 I see 1.2.1 files.

thanks,
Jim

eri-- · Nov 5, 2008, 10:38 PM

Those 1.2.1 files should be the 2.0 updates not sure why they are called 1.2.1!

jzsjr · Nov 9, 2008, 8:56 PM

Sullrich & Ermal,

Latest snapshot shows:

$ sysctl net.enc
net.enc.out.ipsec_bpf_mask: 0000000000
net.enc.out.ipsec_filter_mask: 0x00000002
net.enc.in.ipsec_bpf_mask: 0000000000
net.enc.in.ipsec_filter_mask: 0x00000001

Should they show what Sullrich suggested earlier in this thread?
thanks,
Jim

eri-- · Nov 9, 2008, 10:07 PM

To me it is just those not set are considered debugging options, tcpdump in enc0. So while debugging makes sense you enable those otherwise it is just 'overhead'.
Since 2.0 allows you to set such values from the gui i consider them unnecessary.

jzsjr · Apr 6, 2009, 11:36 PM

I am using:
2.0-ALPHA-ALPHA
built on Fri Apr 3 21:18:02 EDT 2009
FreeBSD 7.1-RELEASE-p4

and still afflicted with the vpn tunnel staying up but no data passing. There was a fix provided by Sullrich earlier in this thread and I hope still works though I'm not real sure what it does. This is happening to a colleague of mine too. We have used both the full install on a server base and the embedded install with the same results. The vpn will work wonderfully for hours and then just stop passing data. I have gotten to the point where I merely reboot the racoon service now. I have recently updated so I'll apply the commands below and see how they go again. I was hoping someone could explain what these commands accomplish and why they might not be permanently changed in a release.

sysctl net.enc.out.ipsec_bpf_mask=0x00000002
sysctl net.enc.out.ipsec_filter_mask=0x00000002
sysctl net.enc.in.ipsec_bpf_mask=0x00000001
sysctl net.enc.in.ipsec_filter_mask=0x00000001

thanks,
Jim

Accounts · Apr 7, 2009, 4:27 AM

is this still going on in current snapshots? I wanted to update to check NAT redirection but fear ipsec problems since all is good as of my current march 22 build with ipsec.

jzsjr · Apr 7, 2009, 8:53 PM

yes. I posted the current release I am using.

Jim

jzsjr · Apr 9, 2009, 4:26 PM

I just had an RDP session and outlook connected to an exchange server data stop. The tunnel was still showing open. Is there any logs I can send in?

thanks,
Jim