IPSEC tunnels display "connection established" but can not ping peer internal IP
-
So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.
IPSec Mobile Client
Mutual PSK
Virtual Address Pool: 172.16.94.0/24Can someone please check if that route is right? (it doesn't look possible)
Destination Gateway Flags Use Mtu Netif 172.16.94.1 [Primary-GW-IP-of-pfSense] UGHS 0 1500 hn0
Same config in 2.1.5 but i haven't this route and traffic pass through.
-
I dont have much to add other than I too have this issue. I show connection on both ends Changing from DES to AES 128 but no traffic passes. Changing from DES to AES makes no difference.
I will help test in any way if needed just let me know.
Im on the 10/3 snapshot on ms hyper-v
-
I found this link on google and hope this help since it seems that the description in this case is quite similar in ours:
https://forums.freebsd.org/viewtopic.php?&t=36125
I haven't got much time to try this right now but I'll manage to do it soon and let you know the result. -
Thanks for the pointer, unfortunately I am not really able to test that on my systems as I don't really know how to modify the mentioned pf-rules etc
I compared the output of "netstat -r" (=routes) between the beta and stable 2.1.5 right now.
I see explicit routes to the IP of the other IPSEC-gateway on 2.1.5 while they are missing on the beta. I have no idea if that matters, it's just what I was thinking of and checking … got to try to add these routes on the beta and re-test pinging (after writing this reply ... ).
While I let ping run I checked pftop/pfinfo and couldn't spot dropped packages ...
-
So basically site to site IPsec is broke now correct? Has anyone got it to work yet?
-
I an unsure why it does not work for some people.
For me on first setup it works!
-
@ermal:
I an unsure why it does not work for some people.
For me on first setup it works!
Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?
-
@sgw:
Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?
No, I had a clean 2.2 install that was working well (road warrior config, shrewsoft client), then stopped working at some point with a new snapshot. I believe it stopped working after pfSense updated Strongswan from 5.1.x to 5.2.0, and/or FreeBSD 10.0 to 10.1 prerelease. Same symptoms as reported here: tunnel is established, but no traffic can pass.
@ermal:
I an unsure why it does not work for some people.
For me on first setup it works!
Site-to-site or mobile client? Can you post a config that works?
-
Next snapshot should fix the issue.
-
@ermal:
Next snapshot should fix the issue.
cool. Can you point us at the bug/commit solving this? I am interested in what the issue was? Thanks!
-
The issue was in some hashes had wrong size in the kernel due to some improvements done to ipsec.
That has been fixed now.
-
Thanks a lot! I upgraded to lastest snapshot . It's working now!
-
-
Kinda works for me, although the default gateway get's set to the IPSec connection. (OS X Mavericks)
Can't figure out why as I've only chosen the LAN subnet in phase2 and am running a similar config on 2.1.5 without problems.Anyone got the same problem?
-
although the default gateway get's set to the IPSec connection. (OS X Mavericks)
Can you show your IPSec config more detail? What do you mean "OS X Mavericks" here?