IPsec tunnel established but no traffic because of missing route

Eugene · Mar 6, 2009, 5:52 PM

No routing to be configured here. If tunnel is established then nothing is wrong with tunnel setup (ranges match).
From machine connected to LAN of Site1 ping some LAN address from site two and trace ESP packets on your WAN interface. At lease you will see whether Site1 sends encrypted traffic to Site2 and if it does then apparently Site2 does not respond.
I suppose you've created rule on site1 allowing ICMP from LAN1 to LAN2 range.

Sateetje · Mar 9, 2009, 5:23 PM

I've only added a rule at the IPsec tab to Allow all. Do I need to create more rules at the Lan or Wan tab?

And how do trace ESP packets?

Eugene · Mar 11, 2009, 7:31 PM

@Sateetje:

I've only added a rule at the IPsec tab to Allow all. Do I need to create more rules at the Lan or Wan tab?

And how do trace ESP packets?

The rules you are using depend on you needs. For testing allow all is very good rule.
And you have to allow ICMP traffic from Site1 lan to Site2 lan on pfSense.Site1 rules LAN tab (for pings from Site1 to Site2).

trace it like this (if you have only one IPsec tunnel)
tcpdump -i emX -n esp

or if you do not have any other traffic between sites:
tcpdump -i emX -n host <site2 public="" ip="">*** replace emX with your real WAN interface name ***</site2>

Sateetje · Mar 19, 2009, 12:01 PM

I added an allow everything rule on the LAN interface of site1.

Then I started a ping a site1 to site2. But no reply.

Here are my traces:

172.16.0.2 = WAN address of pfsense site1
172.16.2.2 = WAN address of pfsense site2

site1-ip = WAN address of modem/router (NAT device) (eg 80.101.x.x)
site2-ip = WAN address of modem/router (NAT device) (eg 80.101.x.x)

site1:
22:55:16.085621 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x20), length 132
22:55:17.093308 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x21), length 132
22:55:18.103301 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x22), length 132
22:55:29.195391 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x23), length 132

site2:
22:55:16.085654 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x20), length 132
22:55:16.086596 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x14d), length 132
22:55:17.094322 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x21), length 132
22:55:17.094870 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x14e), length 132
22:55:18.101993 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x22), length 132
22:55:18.102528 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x14f), length 132
22:55:29.200274 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x23), length 132
22:55:29.201113 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x150), length 132

What could be the problem?

Eugene · Mar 19, 2009, 3:56 PM

Well, according to your traces Site2 replies to Site1 but Site1 does not recieve these replies.
We could guess about some routing issue but this is not the case as phase 1 goes perfectly.
Puzzled. What is in between these firewalls?

mthode · Mar 21, 2009, 9:55 PM

I am having a similar issue with my vpn setup. I have setup a vpn between a cisco device and pfsense and it works. But when I set up a VPN between endian and pfsense, it does not work.

Sateetje · Mar 21, 2009, 10:09 PM

Site1:
LAN -> pfsense (NAT) -> Cisco 827 12.3 IOS (NAT) -> provider

Site2:
LAN -> pfsense (NAT) -> Dratek Vigor 2800 (NAT) -> provider

(Site1 en Site2 does have the same provider)

fastcon68 · Mar 22, 2009, 3:34 AM

I have a 8 vpn tunnels and they all have different endpoint devices. I have built 5 basic rules per tunnel and then have more complicated rules for other tunnels. I am currently running on version 1.2 and or 1.2.1. It works fine for me.

I have Symantec 320, Linksys devices, and the new GB Linksys vpn endpoint device, and netgear vpn devices. I have tested with serveral other devices with no issue. I do have one customer that if his firewall goes down I do loose connection.

Overall it works great.
RC

Eugene · Mar 24, 2009, 4:06 AM

Sateetje, I gave you idea: ESP packets from site2 do not reach site1. I doubt that this is provider's issue. Double check your Cisco and Dratek configs. BTW not too many NATs ;) ?

Sateetje · Mar 24, 2009, 4:53 PM

Is it possible to skip double NAT (transparent pfsense)?

Are there setting for the Cisco that I should check? The Draytek only has a webinterface and one setting for redirect everything (DMZ host).

Eugene · Mar 24, 2009, 5:02 PM

you can turn off NATting at pfSense - just do not configure it. And pfSense will work as router filtering packets according to defined rules. But I suspect you problem is in Draytek or Cisco configs. To find out exactly who is causing problems put packet sniffer at Cisco's and Dratek's WAN's and see what is going on there.

Sateetje · Mar 25, 2009, 7:39 AM

On the Draytek there is an option to passthrough IPSec: srv nat ipsecpass on

But another problem, I can't use RDP. It has to do something with the MTU-size. The largest packet I can ping is 1394 bytes. How do I set the right MTU-sizes?

mthode · Mar 25, 2009, 1:17 PM

I got my ipsec implemtation working, it was an issue with the routes of the computer I was testing with…