IPsec tunnel up but no traffic

davidmtl · Apr 18, 2011, 2:40 AM

Hello all!
I have a small setup for a non-profit as follow:
SiteA
10.10.1.0/24

SiteB
10.13.1.0/24

The tunnel between the two sites is up but there's no traffic going trough. I added a rule, on each site, in the Firewall > IPsec tab to allow all and the same on the LAN tab. I also did a rule on the WAN to allow ESP from any to any and another rule to allow TCP on port 500 from any to any.

Both box are pfsense 1.2.3 RC1 on WRAP. Everything on the LAN works fine (browsing) except when we try to ping or RDP to the other Site (same behavior if we try to access SiteB from SiteA and vice versa).

Also on SiteA I also have other rules for specific ports like the WebGUI of pfsense and other Web Admin. Those are auto-generated rule from the Firewall > NAT that we created.

Any idea why the traffic is not going trough the tunnel?

Thanks!

davidmtl · Apr 18, 2011, 3:18 AM

Here are more details on the tunnel configuration:

SiteA:

Interface: LAN
DPD: 60
Local subnet: LAN subnet
Remote subnet: 10.13.1.0/24
Remote gateway: <remote.gateway>Negotiation: agressive
My identifier: hub.local
Encryption: Blowfish
Has: SHA1
DH key group: 2
Lifetime: 28800
Authentication method: pre-share key
Protocol: ESP
Encryption algorithms: Blowfish is checked
Hash: SHA1 is checked
PFS key group: 2
Lifetime: 86400
Automatically ping host: 10.13.1.1

SiteB:

Interface: LAN
DPD: 60
Local subnet: LAN subnet
Remote subnet: 10.10.1.0/24
Remote gateway: <remote.gateway>Negotiation: agressive
My identifier: dl.local
Encryption: Blowfish
Has: SHA1
DH key group: 2
Lifetime: 28800
Authentication method: pre-share key
Protocol: ESP
Encryption algorithms: Blowfish is checked
Hash: SHA1 is checked
PFS key group: 2
Lifetime: 86400
Automatically ping host: 10.10.1.1

Firewall Rules:
At both sites for LAN and IPSEC: * * * * * * (any to any)

WAN Site A (in the following order):
TCP * * 10.10.1.1 6699 *
UDP * * * 500 (ISAKMP) *
ESP * * * * *
TCP * * 10.10.1.15 9080 *
TCP * * 10.10.1.15 9443 *

WAN Site B (in the following order):
TCP * * 10.13.1.1 6699 *
UDP * * * 500 (ISAKMP) *
ESP * * * * *
IGMP PPTP clients * * * *

Other Info: When I ping from an actual machine in the site A (or site B) LAN to a machine in the site B (or Site A) LAN, I see the icmp in the firewall log on the outgoing side. Eg:
Apr 17 23:07:25 ENC0 10.13.1.1 10.10.1.1 ICMP
but that's it.

IPSEC Status at both ends says they are connected so I'm at a loss as to why no traffic is getting through (ping, traceroute, remote desktop, etc).

Any help would be greatly appreciated. Thanks!</remote.gateway></remote.gateway>

ericab · Apr 18, 2011, 3:39 AM

ive got the same issue on my iPad –-> pfSense IPSec server
hopefully one of the devs will help us out with this, since this is quite a pretty common problem these days

davidmtl · Apr 21, 2011, 1:52 AM

Hello!
Does anyone know who I could troubleshoot my problem and try to find the solution?

I'm a little lost has why I can see traffic going trough in the logs but no answer when I send a ping or rdp.

Any thoughts on why it's not working and where I should investigate in order to make this tunnel work?

Thanks!

sten2004 · May 20, 2011, 6:45 PM

Aren't you getting any clues from Status - System Logs - Firewall or IPsec VPN?

I had a PPTP rule that was deleted - i could make a PPTP connection but all acces to LAN was blocked and traceable in system logs.