Tunnel established but no communications

mbedyn

Hello
Is there somebody who can explain to me how the IPSec tunnel between network and RoadWarrior computer works?

I know that pf does not support modcfg (ike push/pull) for remote configurations, if so I have to make the settings manually.
I have pf 1.2 stable version. Client computer are using latest shrew software. My local network I tried to connect 192.168.3.0/24.
I have configured virtual interface in shrew with my local network settings. I am able to establish vpn connection but I can not comunicate with with any machine inside my network.
Routing table on my laptop looks fine, moreover I added log option to the default rule in IPSEC interface and I see that traffic is logged, I can see my ping trials and udp packets to my DNS server but I got no answer…
Did I missed something?

Please se bellow SPD

Source  	Destination  	Direction  	Protocol  	Tunnel endpoints  	
192.168.3.11 	192.168.3.0/24 		ESP 	83.31.78.XX -
83.19.104.XX 	
192.168.3.0/24 	192.168.3.11 		ESP 	83.19.104.XX -
83.31.78.XX 	

See SAD entries

83.19.104.XX  	83.31.78.XX  	ESP  	b2479f4c  	aes-cbc  	hmac-md5  	
83.31.78.XX 	83.19.104.XX 	ESP 	0d53a2a3 	aes-cbc 	hmac-md5 	

and IP VPN logs

Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.3.0/24[0] 192.168.3.11/32[0] proto=any dir=out"
Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192.168.3.11/32[0] 192.168.3.0/24[0] proto=any dir=in"
Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 83.19.104.XX[0]->83.31.78.XX[0] spi=1470564891(0x57a70a1b)
Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP/Tunnel 83.31.78.XX[0]->83.19.104.XX[0] spi=180987997(0xac9a85d)
Jan 11 16:17:22 	racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:CAST peer:AES
Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:CAST peer:AES
Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:AES
Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Jan 11 16:17:22 	racoon: WARNING: trns_id mismatched: my:3DES peer:AES
Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 192.168.3.11/32[0] 192.168.3.0/24[0] proto=any dir=in
Jan 11 16:17:22 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: 83.19.104.XX[0]<=>83.31.78.XX[0]
Jan 11 16:17:14 	racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established 83.19.104.XX[500]-83.31.78.XX[500] spi:3b968ae039e80a3b:efe770dfdcb20ba5
Jan 11 16:17:14 	racoon: INFO: received Vendor ID: DPD
Jan 11 16:17:14 	racoon: INFO: begin Aggressive mode.
Jan 11 16:17:14 	racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation: 83.19.104.XX[500]<=>83.31.78.240[500]

Grincheux

I've got the same problem with quite the same logs.
I followed the IPsec tutorial, but I think there is a routing issue that is not explained in it.

mbedyn

it was my first guess … but I think routing to ipsec network devices should be creating automaticaly. I consider to set it manually but there is a note

Do not enter static routes for networks assigned on any interface of this firewall. Static routes are only used for networks reachable via a different router, and not reachable via your default gateway.

hmmm ???