Two IPSec Site to Site connections

szop

No ideas? Is it even possible to establish to connections via one WAN between to sites with different LAN's?

pingulino

You may have just a routing/gateway problem, but it's hard to tell for sure. We need to establish exactly where it goes wrong.

1. Check the log for ipsec, any errors?
2. Under Status -> IPsec:

• Overview: Is button on right side red, yellow or green? If yellow click on arrow to start the tunnel.
• SAD / SPD: Anything here? Should be 2 entries for each active tunnel.

3. Check output of "netstat -r"

szop

1. Thanks for the effort to help me out with this issue. I'm stuck for days now and still got no idea how to solve my problem. Here a few informations you asked for.

1. IPSec Log since this morning:

1. http://screencast.com/t/CCE5vprg
2. http://screencast.com/t/PDYwrZ0f

2. The status seems to be okay:

Overview:http://screencast.com/t/jPGfjV89E0h. Both local IP's are the same IP's and both remote IP's are the same IP's as well.
SAD: http://screencast.com/t/4FCkpb0f74Lk
SPD: http://screencast.com/t/b2MsG92VxJpk

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            217.5.98.27        UGS        0    6589 pppoe2
google-public-dns- 217.5.98.27        UGHS        0    14289 pppoe2
10.0.0.0          link#3            U          0        0    em2
10.0.0.2          link#3            UHS        0        0    lo0
p578bb5c6.dip0.t-i localhost          UH          0        0    lo0
w2.rc.vip.ch1.yaho 10.0.0.1          UGHS        0    14309    em2
localhost          link#7            UH          0    1116    lo0
172.16.40.0        link#1            U          0      817    em0
172.16.40.254      link#1            UHS        0        0    lo0
192.168.66.0      192.168.66.2      UGS        0        0 ovpns2
192.168.66.1      localhost          UH          0        0    lo0
192.168.66.2      link#11            UH          0        0 ovpns2
192.168.88.0      192.168.88.2      UGS        0      10 ovpns1
192.168.88.1      localhost          UH          0        0    lo0
192.168.88.2      link#10            UH          0        0 ovpns1
192.168.103.0      link#2            U          0  9117420    em1
pfsense            link#2            UHS        0        0    lo0
dnsp03.hansenet.de 10.0.0.1          UGHS        0    57959    em2
dnsp02.hansenet.de 10.0.0.1          UGHS        0    57961    em2
217.5.98.27        link#9            UH          0        0 pppoe2
n-lb-a01.isp.t-ipn 217.5.98.27        UGHS        0    57950 pppoe2
m-lb-a01.isp.t-ipn 217.5.98.27        UGHS        0    57951 pppoe2

Internet6:
Destination        Gateway            Flags      Netif Expire
localhost          localhost          UH          lo0
fe80::%em0        link#1            U          em0
fe80::206:4fff:fe8 link#1            UHS        lo0
fe80::%em1        link#2            U          em1
fe80::206:4fff:fe8 link#2            UHS        lo0
fe80::%em2        link#3            U          em2
fe80::206:4fff:fe8 link#3            UHS        lo0
fe80::%em3        link#4            U          em3
fe80::206:4fff:fe8 link#4            UHS        lo0
fe80::%lo0        link#7            U          lo0
fe80::1%lo0        link#7            UHS        lo0
fe80::%pppoe2      link#9            U        pppoe2
fe80::206:4fff:fe8 link#9            UHS        lo0
fe80::206:4fff:fe8 link#10            UHS        lo0
fe80::206:4fff:fe8 link#11            UHS        lo0
ff01:1::          fe80::206:4fff:fe8 U          em0
ff01:2::          fe80::206:4fff:fe8 U          em1
ff01:3::          fe80::206:4fff:fe8 U          em2
ff01:4::          fe80::206:4fff:fe8 U          em3
ff01:7::          localhost          U          lo0
ff01:9::          fe80::206:4fff:fe8 U        pppoe2
ff01:          fe80::206:4fff:fe8 U        ovpns1
ff01:          fe80::206:4fff:fe8 U        ovpns2
ff02::%em0        fe80::206:4fff:fe8 U          em0
ff02::%em1        fe80::206:4fff:fe8 U          em1
ff02::%em2        fe80::206:4fff:fe8 U          em2
ff02::%em3        fe80::206:4fff:fe8 U          em3
ff02::%lo0        localhost          U          lo0
ff02::%pppoe2      fe80::206:4fff:fe8 U        pppoe2
ff02::%ovpns1      fe80::206:4fff:fe8 U        ovpns1
ff02::%ovpns2      fe80::206:4fff:fe8 U        ovpns2

Thanks again and in advanace.

Cheers,
Szop

cmb

Your IPsec config is fine since you have SADs. The routing table has no relevance to IPsec. My first guess is you're blocking traffic by not allowing what is needed in the IPsec firewall rules.

szop

Thanks for the reply. Do you mean this: http://screencast.com/t/iC0iLMc0ZE ?

Do I need a sperate rule for each IPSec connection?

Cheers,
Szop

Zeon

I'm not sure if this is relevant but have you made sure that the block private address space isn't enabled on the opt2 interfaces? This has caught me out before. If you like I'm more than happy to login and take a look for you.

szop

Hey, thanks for your reply. Unfortunatly the private network blocks have been already disabled :( :
http://screencast.com/t/GWnp5ebgny

This drives me nuts…

Here is a post that seem's similar to mine: http://forum.pfsense.org/index.php/topic,33900.0.html
Is it even possible to create two seperated IPSec tunnels over one WAN to an other WAN?

cmb

As long as you have an allow all rule like as shown in the screenshot above, on both sides on the IPsec, you're good with rules. Block private networks doesn't apply to traffic within IPsec.

@szop:

Is it even possible to create two seperated IPSec tunnels over one WAN to an other WAN?

Yes, it's extremely common, widely done.

Next troubleshooting step is to start a continuous ping from one side to the other. Start packet captures on each hop along the way to see where the traffic is getting and isn't getting. Start with the internal interface on the side where the traffic is initiated, if you don't see it there you have local routing issues on that network and/or the host initiating the traffic. If you do see it there, move the capture to the IPsec interface. Then the IPsec interface of the remote host, then the LAN interface of the remote host. Report back where you are no longer seeing the traffic.

szop

Oh my Goad! I was able to ping from pfSense to pfSense directly, but not from the network! Also I am able to Ping my whole network from pfSense boxes like 172.16.40.254 -> 172.16.40.16 and back. But I can't ping from from Network over the tunnel. Same behavior on both sides.

cmb

That would be a wrong default gateway on the hosts, or a host based firewall.

szop

I guess that I've found the mistake now and I'm a bit ashamed of this because I think I've wasted a lot of your time. I had no Firewall Rule on OPT2 and OPT1, so I wasn't able to ping from Network to Gateway. I thought I just need a firewall rule on the IPSec tab to route traffic over IPSec VPN to the destinated network. On my last post I said that I was able to ping from pfSense to network like 172.16.40.254 -> 172.16.40.16 and back, but somehow I made a mistake because the second time I tried I was not able :/, just pfSense to network like 172.16.40.254 -> 172.16.40.16 and pfSense to pfsense and it's network like 172.16.40.254 -> 172.16.30.254 and 172.16.30.1.

Besides that I had to add manually Routes on my Windows machines over command line. You can print the help of "route" by typing "route" into the command line. Like you can see I've added manually a statice route on this PC http://screencast.com/t/ixe55rM45Mk8. You can see that the routing works now http://screencast.com/t/fKmkbkHu

Thanks a lot for this great support on this forum!