Ipsec tunnel connecting but unable to ping

sparky200381 · Sep 22, 2009, 10:02 PM

Hi,
I have two pfsenses setup both running 1.2.2 and have setup an IPSEC tunnel between the sites and it connects and I can ping from site A to B but unable to ping the other way. Any ideas?

Mark

rsingh · Sep 23, 2009, 12:13 AM

I had some issues until I setup a static route which shouldn't be necessary. i think this is a bug.

Here's the static route:

Interface Network Gateway Description
LAN 192.168.50.0/24 192.168.1.1 IPSec VPN

My gateway is 192.168.1.1, I shouldn't need a route saying if you want to reach the IPsec clients to go through the gateway but this makes everythin work. In a tcpdump, you see ICMP redirect packets which seem to fix things like ping.

blak111 · Sep 23, 2009, 5:26 AM

Make sure you have IPSec allow rules on both ends.

sparky200381 · Sep 23, 2009, 2:58 PM

I have added an static route and still no joy. I currently have two over pfsense boxes connecting and I am able to ping clients on the other networks fine but with this new Ipsec tunnel it does not allow me.

I keep getting the error below but not sure it is relevant.

Sep 23 14:53:22 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "192...0/24[0] 10...0/24[0] proto=any dir=out"
Sep 23 14:53:22 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "10...0/24[0] 192...0/24[0] proto=any dir=in"

focalguy · Sep 28, 2009, 11:07 PM

@blak111:

Make sure you have IPSec allow rules on both ends.

Do you have rules to allow traffic on the IPSEC interfaces on both sides?

neo.matrix_23 · Oct 1, 2009, 10:59 AM

@focalguy:

@blak111:

Make sure you have IPSec allow rules on both ends.

Do you have rules to allow traffic on the IPSEC interfaces on both sides?

You do need to add IPSEC firewall rule (interface) on both sides. Add a rule to allow any protocol, any ports, any source & any destination and test PING again. One thing I want to point out is PING is NOT on TCP protocol but on ICMP and very often, when you add a new rule, TCP is selected by default.

stewie · Oct 7, 2009, 2:23 PM

Hi.

Having the same problem.
SA is established. I setup a pass-any-from-any-to-any firewall rule on each sites ipsec tab.
Logging ist enabled and status firewall shows blocked packets. this is really confusing. why does a pass rule log blocked packages?
the only special thing in this setup is, that on one site VPN comes over opt1. Loadbalancing is configured.

cheers

stewie

jimp · Oct 7, 2009, 8:01 PM

@stewie:

Logging ist enabled and status firewall shows blocked packets. this is really confusing. why does a pass rule log blocked packages?

It doesn't. If a blocked packet is logged, your rule did not get matched. Check your rules again. Especially make sure the protocol is set to ANY and not TCP.

stewie · Oct 7, 2009, 8:15 PM

I removed all rules, rebooted and added them again as mentioned in an other thread. But no success.
I am missunderstanding something totally, or PF is buggy as hell.

As I said SA is established, which normaly means that routing is setup by phase 2. Both sites have pass-any-from-any-to-any firewall rule on the ipsec tabs.

site1 LAN: 192.168.200.0/24 with host 192.168.200.5
site2 LAN: 192.168.201.0/24 with host 192.168.201.1
this what was tcpdump shows on the internal ifs pinging from site2 to site1
on site1:
22:08:03.699497 IP 192.168.201.1 > 192.168.200.5: ICMP echo request, id 512, seq 14926, length 40
on site2:
22:08:03.723041 IP 192.168.201.1 > 192.168.200.5: ICMP echo request, id 512, seq 14926, length 40
22:08:03.723568 IP 192.168.200.5 > 192.168.201.1: ICMP echo reply, id 512, seq 14926, length 40

On site1 filter.log shows pass logs for icmp packets that came from the keep alive setting. Cant see my logs matching my pass rule. site2 shows no icmp pass logs at all.

???

stewie · Oct 7, 2009, 8:17 PM

@jimp

its set to any. i checked it more than twice.

jimp · Oct 7, 2009, 8:23 PM

@stewie:

I am missunderstanding something totally, or PF is buggy as hell.

The former. It works quite well when setup properly.

Are you pinging from the firewall itself or a client PC behind the firewall?

If you are trying to ping from the firewall, that won't work unless you either add a proper static route, or set the ping source by using ping -S <lan ip=""><remote lan="" ip="">.</remote></lan>

stewie · Oct 7, 2009, 8:26 PM

I am pinging from host to host behind the firewalls.
site1 has 192.168.200.254 and site2 has 192.168.201.254.

I guess it did something wrong. perhaps it has something to do with my routing.
Ipsec is running over WAN2 or OPT1. I didnt add any static routes yet.

jimp · Oct 7, 2009, 8:31 PM

@stewie:

I guess it did something wrong. perhaps it has something to do with my routing.
Ipsec is running over WAN2 or OPT1. I didnt add any static routes yet.

You may need to take care of this first. Also ensure that IPsec is set to actually use that interface. It may be trying to send the traffic out of WAN and not WAN2. An easy test would be to build the tunnel on the WAN circuit instead and see if it works there.

stewie · Oct 8, 2009, 7:56 AM

Hi jimp.

It works with WAN instead of OPT1. But I cant keep it like this.
WAN1 is a pppoe ADSL with low upstream and WAN2 ist SDSL with static IP and a bit more upstream.
OPT1 does not support pppoe, this is why did it like this. I also need to keep the WAN Loadbalancingm which btw is working out lovely.

How can I troubleshoot this routing and/or filter problem with IPSec over OPT1/WAN2?

cheers

Stewie

stewie · Oct 11, 2009, 11:52 AM

Hi.

Does anyone know howto route vpn over OPT1/WAN2?
I really need to do it.

cheers.

stewie