IPSEC tunnels display "connection established" but can not ping peer internal IP

hege

@hoanghaibinh:

So I suspect the lack of some routing configs in the routing table or some system rules had made this errors.

IPSec Mobile Client
  Mutual PSK
  Virtual Address Pool: 172.16.94.0/24

Can someone please check if that route is right? (it doesn't look possible)

Destination 	Gateway 	               Flags 	Use 	 Mtu 	    Netif
172.16.94.1 	[Primary-GW-IP-of-pfSense] 	UGHS 	0 	1500 	hn0

Same config in 2.1.5 but i haven't this route and traffic pass through.

whitewidow

I dont have much to add other than I too have this issue. I show connection on both ends Changing from DES to AES 128 but no traffic passes. Changing from DES to AES makes no difference.

I will help test in any way if needed just let me know.

Im on the 10/3 snapshot on ms hyper-v

hoanghaibinh

I found this link on google and hope this help since it seems that the description in this case is quite similar in ours:
https://forums.freebsd.org/viewtopic.php?&t=36125
I haven't got much time to try this right now but I'll manage to do it soon and let you know the result.

sgw

Thanks for the pointer, unfortunately I am not really able to test that on my systems as I don't really know how to modify the mentioned pf-rules etc

I compared the output of "netstat -r" (=routes) between the beta and stable 2.1.5 right now.

I see explicit routes to the IP of the other IPSEC-gateway on 2.1.5 while they are missing on the beta. I have no idea if that matters, it's just what I was thinking of and checking … got to try to add these routes on the beta and re-test pinging (after writing this reply ... ).

While I let ping run I checked pftop/pfinfo and couldn't spot dropped packages ...

whitewidow

So basically site to site IPsec is broke now correct? Has anyone got it to work yet?

eri--

I an unsure why it does not work for some people.

For me on first setup it works!

sgw

@ermal:

I an unsure why it does not work for some people.

For me on first setup it works!

Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?

charliem

@sgw:

Maybe it is related to the upgrade-procedure? Maybe the tunnel configs aren't transferred correctly when we upgrade from 2.1.5 to 2.2-beta?

No, I had a clean 2.2 install that was working well (road warrior config, shrewsoft client), then stopped working at some point with a new snapshot.  I believe it stopped working after pfSense updated Strongswan from 5.1.x to 5.2.0, and/or FreeBSD 10.0 to 10.1 prerelease.  Same symptoms as reported here: tunnel is established, but no traffic can pass.

@ermal:

I an unsure why it does not work for some people.

For me on first setup it works!

Site-to-site or mobile client?  Can you post a config that works?

eri--

Next snapshot should fix the issue.

sgw

@ermal:

Next snapshot should fix the issue.

cool. Can you point us at the bug/commit solving this? I am interested in what the issue was? Thanks!

eri--

The issue was in some hashes had wrong size in the kernel due to some improvements done to ipsec.

That has been fixed now.

hoanghaibinh

Thanks a lot! I upgraded to lastest snapshot . It's working now!

sgw

@hoanghaibinh:

Thanks a lot! I upgraded to lastest snapshot . It's working now!

Same here, great!

filnko

Kinda works for me, although the default gateway get's set to the IPSec connection. (OS X Mavericks)
Can't figure out why as I've only chosen the LAN subnet in phase2 and am running a similar config on 2.1.5 without problems.

Anyone got the same problem?

hoanghaibinh

@filnko:

although the default gateway get's set to the IPSec connection. (OS X Mavericks)

Can you show your IPSec config more detail? What do you mean "OS X Mavericks" here?