Tunnel up, can ping FW, and can configure through https, but no traffic routed

steqve

Hello guys,

I've been using pfSense for some years now but only used PPTP as VPN. Now I'm trying to use pfSense and Shew VPN together.

I have searched the forum for a similar problem but havn't found one.

The problem is that no data is routed from the mobile client to internal IP:s. Well, this is a common problem here…

But I can ping the FW, i can browse to the FW and configure it. I can ping the client from the FW so the link is really up and running.

I have double and triple checked the settings in pfSense and Shrew and they are the same.

There is a "pass all" rule for IPsec just as for PPTP (which works).

What could be the reason for the traffic not beeing routed? It seems like the IPsec->LAN rule is not working, but I cannot see why.

IP-setup of client in Shrew: 172.16.111.22/16

When tunnel is up, the route in windows looks like this:

172.16.0.0      255.255.0.0    172.16.111.22  172.16.111.22      1
172.16.111.22  255.255.255.255        127.0.0.1      127.0.0.1      30
172.16.255.255  255.255.255.255    172.16.111.22  172.16.111.22      30

IPsec log:

Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.0.0/16[0] 172.16.111.22/32[0] proto=any dir=out"
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in"
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=2760772392(0xa48e0b28)
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=47611494(0x2d67e66)
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: XX[0]<=>YY[0]
Apr 8 12:49:01 racoon: INFO: generated policy, deleting it.
Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established XX[500]-YY[4849] spi:2eddb914b17bf772:34953d56716b0602
Apr 8 12:49:01 racoon: INFO: received Vendor ID: DPD
Apr 8 12:49:01 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 8 12:49:01 racoon: INFO: received Vendor ID: RFC 3947
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 8 12:49:01 racoon: INFO: begin Aggressive mode.
Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation

As I have heard, the two errors are not the issue. Correct?

And status:

Source  Destination  Protocol  SPI  Enc. alg.  Auth. alg. 
aa bb ESP a48e0b28 3des-cbc hmac-sha1
bb bb ESP 02d67e66 3des-cbc hmac-sha1

ip-rule for IPsec:

Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

• • • • • • IPSEC passthruu

Ping FW: 172.16.0.1 works ok!
Ping 172.16.111.22 from FW works ok!
Ping any other IP from client = no response

Best regards,

Stefan Johansson

steqve

No ideas?

Should I have any other rule than the one for IPSec?

jimp

The subnets which you are using overlap. That may be part of the problem.

steqve

I have now changed the LAN network to 172.16.0.0/19 which has the subnet 255.255.224.0 and the mobile client is set to use IP 172.16.200.22 wchich means that the client is not within the /19 subnet. Still the same error.

steqve

changed mobile warrior to use 192.168 network and now it works fine.