Connected but no Traffic

WTF · Jul 26, 2013, 10:21 AM

Hello,

I've managed to get my Android device connected via IPSec to PFSense and am getting an IP allocated to the Pool (10.1.0.1) that I can ping from the device. When I try and ping my main network 10.0.0.0/24 (which I added a forwarding route for) and also added a FW rule to allow Any -> 10.0.0.0/24 - Any for IPSec interface I dont get anything.

I've done a packet capture but dont see any ICMP traffic.

I'm using Automatic Outbound NAT.
LAN - 10.0.0.0/24
WAN - 192.168.0.0/24
IPSec Pool - 10.1.0.0/24

Phase1
Interface - WAN
Auth - Mutual PSK + XAuth
Neg - Aggressive
My Ident - Dynamic DNS host.mydomain.com
Peer Ident - user@mydomain.com
PSK - <key>Policy Gen - Unique
Proposal Checking -Strict
Enc Algo - AES128
Hash Algo - SHA1
DH - 2
Lifetime - 28800
NAT-T - Disable (Any other setting and Phase1 times out)
DPD - Enabled, 60/5

Phase2
Mode - Tunnel
Local Network - LAN (10.0.0.0/24)
Proto - ESP
Enc Algo - AES 128
Hash - SHA1
PFS Key - Off
Lifetime - 28800

Anyone have any ideas where/what I could look at?

Thanks,
WTF</key>

kejianshi · Jul 26, 2013, 12:06 PM

Are you trying this from inside or outside your network?

WTF · Jul 26, 2013, 12:16 PM

I was using the 3G network on my mobile, so outside. I figured the routing would have issues if I used my Wifi without a bit of fiddling

kejianshi · Jul 26, 2013, 12:24 PM

I've had issues in the past of this and that carrier kicking/stoppping/reseting VPN and SIP traffic (off and on)

Maybe try it from a friend's wifi.

That NAT-T should be on, BTW.

On your android phone, are you forcing that route?

I had to put

Forwarding routes : 0.0.0.0/0 in mine to make it use the VPN tunnel 100% of time.

I also gave it a DNS Server. I use my own, but for you, 8.8.8.8 would be good.

All these settings are in the Android IPsec settings.
You are using the built in vpn client right? Not one you downloaded?

WTF · Jul 26, 2013, 12:40 PM

If I turn on NAT-T (Enable or Force) I cant get P1 up (just times out).

Thing is that the VPN stays up and is pretty stable but just doesn't allow traffic (in the default ipsec client I have a forward route of 10.0.0.0/24 set in the IPSec Client along with DNS of 10.0.0.10 (internal) and then 8.8.8.8)

I only want to access 10.0.0.0/24 network via the VPN but all other net access should route over the normal 3G/Wifi data connection.

BTW, just tested the work Wifi and it has the same issue. (there isn't any captive portal or anything blocking either)

Vorkbaard · Jul 26, 2013, 12:51 PM

Sounds like there is a second 10.0.0.0/24 subnet somewhere between your client and your server. Can you test with another subnet? Even if that wouldn't be a solution you'd still know what the problem was.

I also had this problem when I had IPsec/OpenVPN tunnel configuration with (partly) identical names or IP ranges. Delete any that might conflict.

Alternatively try OpenVPN.

WTF · Jul 26, 2013, 1:00 PM

Is this for the P2 Local Subnet or from the Mobile Client Virtual Address Range?

WTF · Jul 26, 2013, 1:56 PM

I also checked the Arp table and there is nothing showing for the Mobile Client IP allocated :(

WTF · Jul 26, 2013, 2:44 PM

I've got this working thought it wasnt a fix I would normally like to use.

I set the NAT-T to enable and rebooted PFSense, when it came back up Bingo!

So whats causing it or if it is going to happen again I dont know. Restarting racoon didnt help btw!

kejianshi · Jul 26, 2013, 2:49 PM

ohhhhhhhh… haha.
laughing at myself...

When a client is disconnected and reconnected a few minutes later, it probably wont pass traffic.
Its a weird glitch that I've been assured doesn't exist now... But ok.

Anyway. Try this.

Connect to your VPN. Test it.
Now, disconnect and wait 3 minutes. Then connect again and test it.

I bet it doesn't work now.

Now, go to status > services and press the "restart services" button to the right of racoon / IPsec.

Bet it works now.

jimp · Jul 30, 2013, 5:45 PM

@kejianshi:

ohhhhhhhh… haha.
laughing at myself...

When a client is disconnected and reconnected a few minutes later, it probably wont pass traffic.
Its a weird glitch that I've been assured doesn't exist now... But ok.

Anyway. Try this.

Connect to your VPN. Test it.
Now, disconnect and wait 3 minutes. Then connect again and test it.

I bet it doesn't work now.

Now, go to status > services and press the "restart services" button to the right of racoon / IPsec.

Bet it works now.

That was a problem on older snapshots, and still is if you didn't follow this page exactly: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0
Double check every setting (especially Prefer Old IPsec SA)