No traffic, tunnels in the green

Visseroth

OK, so I'm extremely tired but I'm writing this in hopes to get some assistance with this strange problem that is causing me some hair loss.

So we have 2 PfSense boxses, one in Cali and one in the northwest. Both are configured and connected to one another via a IPSec VPN. The IPSec VPN overview says that it's up and it's good to go, the logs say that the connection has been established and there are no errors but we can not get traffic between the two unless the SAD connections are deleted, then the PfSense box in the NW can ping cali but not visa versa.

I checked the IPSec rule and it's configured to allow all traffice from all interfaces on any protocal and yet no traffic. I have checked the firewall logs as I have all created rules set to log and nothing seems to be trying to cross over the IPSec rule via the ENC0 interface (I believe that is the interface, dunno, haven't seen it lately).

We have deleted and recreated the IPSec tunnels multiple times, some that have failed to come up and others that have come up but with the same problem.

Also, when I delete the SAD information from the Cali PfSense box I get …........

PING 192.168.0.1 (192.168.0.1) from 10.0.0.1: 56 data bytes
36 bytes from so-5-0.ipcolo1.SanFrancisco1.Level3.net (63.211.140.85): Destination Host Unreachable
Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
4  5  00 5400 df36  0 0000  3b  01 d5c8 10.0.0.1  192.168.0.1

When I delete SAD from the NW and ping from the NW PfSense box I get .................

PING 10.0.0.1 (10.0.0.1) from 192.168.0.1: 56 data bytes
64 bytes from 10.0.0.1: icmp_seq=0 ttl=59 time=16.513 ms
64 bytes from 10.0.0.1: icmp_seq=1 ttl=59 time=18.224 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=59 time=17.280 ms

--- 10.0.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 16.513/17.339/18.224/0.700 ms

So any ideas would be greatly appreciated because I've about had it!

bkm

Some random thoughts:
Can you ping from LAN to LAN instead of from the pfSense boxes.
Is this a multi-wan setup? If so are you creating the tunnel on the OPT1 interface? Try the WAN interface for the tunnel.
Sounds like you may need a static route added.

Visseroth

No sir, afraid that we are unable to ping from LAN to LAN and neither is a dual WAN setup. I'll play with the routes as soon as I have a chance and report back.

cmb

Never add static routes for IPsec (with the exception of the one for traffic initiated from the firewall itself if you need that). I don't know what the problem is (lots of possibilities), but that isn't it.

netmethods

Have you tried playing with the DPD setting to keep the tunnels up? Also, play with the lifetime settings. I'm having a similar issue and setting the DPD setting to 30 seems to be working. The tunnels that I have DPD enabled seems to be staying up. I have the LT set to 28800 and they've been up for almost 20 hours so far.

Your one way traffic issue sounds more like a phase 2 or network config issue. If you are limiting your LAN ranges, try opening it up to the entire /24 on each side. I'd also diable any extra settings you dont need on both ends just to see if you can get it up. You shouldn't need to set static routes with ipsec, it should create the routes internally.

Post some more info on your tunnel config, maybe someone will see something you missed. What version of pfSense are you running?

Visseroth

The DPD setting has been set to the default, 60. I changed it to 30 and the tunnels are still unstable. If we get the tunnel established then we are unable to get traffic, if we can't get them established we sometimes get phase 1 errors or phase 2 errors. We double and triple check the information, re-apply the settings and it still won't come up. We disable and re-enable IPSec and sometimes we'll get "Can't find Configuration" errors.
Bottom line this stupid thing is not working!

Is IPSec bugged or something, do we have another option for firewall to firewall VPNs because quite frankly this junk is getting old!

Visseroth

Now I'm getting …............
Oct 28 00:25:24 last message repeated 4 times
Oct 28 00:24:43 racoon: ERROR: couldn't find configuration.

on one and just info on the other

I also down graded both firewalls to 1.2.2

Visseroth

Changed to main mode…....

Oct 28 00:29:49 racoon: ERROR: couldn't find configuration.
Oct 28 00:29:41 racoon: ERROR: failed to begin ipsec sa negotication.
Oct 28 00:29:41 racoon: ERROR: phase1 negotiation failed due to send error. 6b81178b280bd303:0000000000000000
Oct 28 00:29:41 racoon: ERROR: sendfromto failed
Oct 28 00:29:41 racoon: INFO: begin Identity Protection mode.

Visseroth

Oct 28 00:38:30 last message repeated 3 times
Oct 28 00:38:00 racoon: ERROR: couldn't find configuration.
Oct 28 00:35:42 racoon: [Sequoya]: INFO: IPsec-SA established: ESP 192.168.0.1[0]-

Visseroth

now getting Error: xx.xx.xx.xx give up to get IPsec-SA due to time up to wait.

I've checked and double checked my information, it matches on both sides. The only thing different this time is that on Host A I'm using 10.0.0.2/24 for the remote subnet and on host B I'm using 192.168.0.3/24 for my remote subnet.

Visseroth

Got the connection to come back up but now on my firewall with the ip address 192.168.0.0/24 I'm getting….....

Oct 28 04:55:29 racoon: ERROR: couldn't find configuration.
Oct 28 04:55:19 last message repeated 3 times
Oct 28 04:54:49 racoon: ERROR: couldn't find configuration.

Visseroth

Traffic is showing up on 10.0.0.1/24 coming from 192.168.0.1/24 through enc0 but not returning

Visseroth

Nothing?

focalguy

have you done any packet captures lately? I'd start capturing packets to see if they are arriving and not being returned or if they are not even arriving. Could the devices on one side of the tunnel have a different gateway that doesn't know about the route to the tunnel?

Visseroth

OK, IPSec sucks, that's all there is to it, down with IPSec

htgtech

Having the same basic problem myself, tunnels are up, but pings won't go through and am unable to load up web interface for pfsense2 from pfsense1. I checked the packet capture for the pinging and it shows the ping coming in and being sent back out but pfsense1 never receives the pings. I have IMCP traffic allowed, AH traffic allowed, and all traffic allowed on lan/wan/ipsec firewall tabs…..

drade

@htgtech:

Having the same basic problem myself, tunnels are up, but pings won't go through and am unable to load up web interface for pfsense2 from pfsense1. I checked the packet capture for the pinging and it shows the ping coming in and being sent back out but pfsense1 never receives the pings. I have IMCP traffic allowed, AH traffic allowed, and all traffic allowed on lan/wan/ipsec firewall tabs…..

I can add myself to this thread as well having the same symptoms as the individuals above. IPsec tunnels are presenting as connected but no traffic passes through, funny thnig is that the firewall log shows the traffic as "passed" even though nothing is actually going through.

These symptoms present themselves on both 1.2.2 and 1.2.3-rc3 releases. And to add a little bit more spice to the whole story i can connect fully to the LAN interface of the remote pfsense box just fine (attachments show 10.2.1.222 which is the LAN IP of the aforementioned pfsense box).

Telnet attempt to the local IP address of that remote subnet running nagios on the port 12489:

This is how it looks in the pfsense log:

Another SS of the CLI:

ICMP passed ?:

drade

Hello,

Please disregard my last post, clearly a PEBKAC problem (someone from the tech. dept. added a static route on all servers to the inexistent gateway … ah joy !).

jimp

You may also try to check "Prefer old IPsec SAs" under Advanced options.

I had a tunnel today to a different device (watchguard firebox) that was not stable (would just stop passing traffic, if it did at all) without that setting turned on.

htgtech

Ok, I've narrowed down my problem to the AH/ESP settings…. If I use AH the tunnel connects but no traffic goes through, however, if I use ESP the tunnel connects and traffice goes through with no trouble. The problem here being, I have to use AH because we have to not only connect to our own routers but also to a 3rd party router which uses the the AH setting..... Any ideas on how to fix this?