IPSEC tunnels display "connection established" but can not ping peer internal IP
-
To my knowledge, when we config vpn connections, the system rules were automatically made to allow traffic of IPSEC protocol go through WAN and we create rules manually to allow traffic bypass IPSEC interface (the IPSEC or OpenVPN interfaces only present after we created ipsec connection). So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.
-
So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.
IPSec Mobile Client
Mutual PSK
Virtual Address Pool: 172.16.94.0/24Can someone please check if that route is right? (it doesn't look possible)
Destination Gateway Flags Use Mtu Netif 172.16.94.1 [Primary-GW-IP-of-pfSense] UGHS 0 1500 hn0
Same config in 2.1.5 but i haven't this route and traffic pass through.
-
I dont have much to add other than I too have this issue. I show connection on both ends Changing from DES to AES 128 but no traffic passes. Changing from DES to AES makes no difference.
I will help test in any way if needed just let me know.
Im on the 10/3 snapshot on ms hyper-v
-
I found this link on google and hope this help since it seems that the description in this case is quite similar in ours:
https://forums.freebsd.org/viewtopic.php?&t=36125
I haven't got much time to try this right now but I'll manage to do it soon and let you know the result. -
Thanks for the pointer, unfortunately I am not really able to test that on my systems as I don't really know how to modify the mentioned pf-rules etc
I compared the output of "netstat -r" (=routes) between the beta and stable 2.1.5 right now.
I see explicit routes to the IP of the other IPSEC-gateway on 2.1.5 while they are missing on the beta. I have no idea if that matters, it's just what I was thinking of and checking … got to try to add these routes on the beta and re-test pinging (after writing this reply ... ).
While I let ping run I checked pftop/pfinfo and couldn't spot dropped packages ...
-
So basically site to site IPsec is broke now correct? Has anyone got it to work yet?
-
I an unsure why it does not work for some people.
For me on first setup it works!
-
@ermal:
I an unsure why it does not work for some people.
For me on first setup it works!
Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?
-
@sgw:
Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?
No, I had a clean 2.2 install that was working well (road warrior config, shrewsoft client), then stopped working at some point with a new snapshot. I believe it stopped working after pfSense updated Strongswan from 5.1.x to 5.2.0, and/or FreeBSD 10.0 to 10.1 prerelease. Same symptoms as reported here: tunnel is established, but no traffic can pass.
@ermal:
I an unsure why it does not work for some people.
For me on first setup it works!
Site-to-site or mobile client? Can you post a config that works?
-
Next snapshot should fix the issue.
-
@ermal:
Next snapshot should fix the issue.
cool. Can you point us at the bug/commit solving this? I am interested in what the issue was? Thanks!
-
The issue was in some hashes had wrong size in the kernel due to some improvements done to ipsec.
That has been fixed now.
-
Thanks a lot! I upgraded to lastest snapshot . It's working now!
-
-
Kinda works for me, although the default gateway get's set to the IPSec connection. (OS X Mavericks)
Can't figure out why as I've only chosen the LAN subnet in phase2 and am running a similar config on 2.1.5 without problems.Anyone got the same problem?
-
although the default gateway get's set to the IPSec connection. (OS X Mavericks)
Can you show your IPSec config more detail? What do you mean "OS X Mavericks" here?