Possible Bug: IPSEC to OpenVPN conversion
-
Hi Everyone,
We have had an IPSec tunnel set up between two pfsense boxes (One at a branch office, and one in a datacentre) for over a year now and it has always worked well. However, we decided to change from IPSec to OpenVPN.
Unfortunately, the conversion didn't work so well. When I tried to ping from the office to a host in the DC LAN, the pfsense box in the DC refused to route the packet from the OpenVPN interface to the correct LAN interface. I could see that the ICMP packet was reaching the DC pfsense ok via tcpdump. What was even weirder was that the branch office could ping out to the open internet via the DC pfsense if redirect-gateway was set in the OpenVPN settings. I confirmed, time and time again that the firewall rules in the DC pfsense were set ok to allow traffic from the OpenVPN interface to the DC LAN.
I was banging my head for ages, and then I had an idea: Even though I had deleted the old IPSec settings, what if there was some old routes left behind that were causing the DC pfsense to be "confused"โฆ So I entertained this idea and changed the branch office's LAN subnet and voila! Everything worked properly. I didn't touch the OpenVPN settings, except I just change the subnet of the branch office LAN (As well as modifying the respective firewall rules).
Is this a bug? I have to state that I didn't reboot the pfsense box in the DC as it's a critical piece of hardware being used for other things, so a reboot may have solved this. But still, there is clearly something lingering behind from the IPsec connection...
Any ideas folks? Should I file a bug report on this?
Thanks
Jonny
-
IPsec and OpenVPN cannot be set for overlapping subnets unless you completely disable IPsec or remove all references to it.
Either you didn't disable IPsec, or if you left it enabled but deleted the Phase 2 it's possible you hit this (already fixed) bug:
https://github.com/bsdperimeter/pfsense/commit/7dcf1cc77f4f7e061418b324a2632804634aa0feThe behavior you're seeing is typical of IPsec "swallowing" the traffic that matches a phase 2 it believes it should handle, even if it entered via another path.
-
IPsec and OpenVPN cannot be set for overlapping subnets unless you completely disable IPsec or remove all references to it.
Either you didn't disable IPsec, or if you left it enabled but deleted the Phase 2 it's possible you hit this (already fixed) bug:
https://github.com/bsdperimeter/pfsense/commit/7dcf1cc77f4f7e061418b324a2632804634aa0feThe behavior you're seeing is typical of IPsec "swallowing" the traffic that matches a phase 2 it believes it should handle, even if it entered via another path.
I can assure you that I did completely remove the IPSec settings for the relavent subnet from the IPsec settings page. I didn't disable IPSec though as the box was being used for other important connections. However, I have just noticed that there are some lingering SPD settings remaining! So it is these that must be causing the issue.
Shouldn't these have been removed when I removed the IPSec settings for the respective link?
Thanks
-
They should have been removed, yes, when that tunnel was deleted or disabled.
That commit (which should be in 2.0.1) should have ensured that they were cleaned out if all tunnels were removed, but I don't see how it would leave them in there if the tunnel were removed.
