IPSEC tunnels display "connection established" but can not ping peer internal IP
-
Yes, i'm sure that i'm using 3DES for both phase1 and phase 2. With the same VPN config, when i upgrade to newer version, even with the lastest 2.2 beta version today, the vpn stop working (can not ping peer IP) though it shown that vpn connected. Then i switch back to the alpha version built on 08.18.2014, everything is ok. I saw that some people hehe had been in the same situation of mine. The last 3 week, I've just paid for an APU from netgate and tested it with 64bit 4G nanobsd image on SD card (the pfsense firmware downloaded from netgate site is version 2.1.5). Pfsense 2.1.5 release always works greatly include IPSEC VPN! At least for me. Then I upgraded it to 2.2 beta version and got the same IPSEC VPN connection errors as such when installing full image beta 2.2 version on i386 and amd64 PC server.
-
Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :) -
@ermal:
Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :)My tunnels use AES … and also don't ping ::)
-
@sgw:
@ermal:
Ok probably some patches on ipsec that are on 2.2 might impact 3DES.
I have not tested much on DES since AES is mostly recommended now days :)My tunnels use AES … and also don't ping ::)
Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.
-
Same, I tested 3DES and AES, no difference. IKEv1 and v2, no difference either.
Yes, same here.
-
Same to me! Maybe we have to wait for the day pfsense 2.2 release?! :(
-
I am using AES-128 and SHA-1 and I cannot get traffic through any ipsec vpn I create (multiple destinations and target equipment). All indications are that the VPN connection is made and functioning correctly. It seems to me that the issue lies somewhere within the pfSense firewall. Its acting like the firewall is just blocking all IPSec traffic regardless of the firewall entries that tell it to allow.
-
To my knowledge, when we config vpn connections, the system rules were automatically made to allow traffic of IPSEC protocol go through WAN and we create rules manually to allow traffic bypass IPSEC interface (the IPSEC or OpenVPN interfaces only present after we created ipsec connection). So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.
-
So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.
IPSec Mobile Client
Mutual PSK
Virtual Address Pool: 172.16.94.0/24Can someone please check if that route is right? (it doesn't look possible)
Destination Gateway Flags Use Mtu Netif 172.16.94.1 [Primary-GW-IP-of-pfSense] UGHS 0 1500 hn0Same config in 2.1.5 but i haven't this route and traffic pass through.
-
I dont have much to add other than I too have this issue. I show connection on both ends Changing from DES to AES 128 but no traffic passes. Changing from DES to AES makes no difference.
I will help test in any way if needed just let me know.
Im on the 10/3 snapshot on ms hyper-v
-
I found this link on google and hope this help since it seems that the description in this case is quite similar in ours:
https://forums.freebsd.org/viewtopic.php?&t=36125
I haven't got much time to try this right now but I'll manage to do it soon and let you know the result. -
Thanks for the pointer, unfortunately I am not really able to test that on my systems as I don't really know how to modify the mentioned pf-rules etc
I compared the output of "netstat -r" (=routes) between the beta and stable 2.1.5 right now.
I see explicit routes to the IP of the other IPSEC-gateway on 2.1.5 while they are missing on the beta. I have no idea if that matters, it's just what I was thinking of and checking … got to try to add these routes on the beta and re-test pinging (after writing this reply ... ).
While I let ping run I checked pftop/pfinfo and couldn't spot dropped packages ...
-
So basically site to site IPsec is broke now correct? Has anyone got it to work yet?
-
I an unsure why it does not work for some people.
For me on first setup it works!
-
@ermal:
I an unsure why it does not work for some people.
For me on first setup it works!
Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?
-
@sgw:
Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?
No, I had a clean 2.2 install that was working well (road warrior config, shrewsoft client), then stopped working at some point with a new snapshot. I believe it stopped working after pfSense updated Strongswan from 5.1.x to 5.2.0, and/or FreeBSD 10.0 to 10.1 prerelease. Same symptoms as reported here: tunnel is established, but no traffic can pass.
@ermal:
I an unsure why it does not work for some people.
For me on first setup it works!
Site-to-site or mobile client? Can you post a config that works?
-
Next snapshot should fix the issue.
-
@ermal:
Next snapshot should fix the issue.
cool. Can you point us at the bug/commit solving this? I am interested in what the issue was? Thanks!
-
The issue was in some hashes had wrong size in the kernel due to some improvements done to ipsec.
That has been fixed now.
-
Thanks a lot! I upgraded to lastest snapshot . It's working now!