Ipsec v1 - no traffic
-
Hi,
I can't send traffic over my IPsec connection with 2.2 (I tried every snapshot since 2 months)
If I use the same setup with 2.1.5, I can send traffic immediately.The only difference I've found is the route with the current 2.2
Setup:
Complete fresh installation (without importing anything)
IPsec v1 Mobile ClientMobile clients: Virtual address pool: 192.168.44.0/24 / Provide a list of accessible networks to clients
PH1: v1 / Mutual PSK / Aggressive / AES256 / SHA1 / DH5 / DPD / NAT-T enabled
PH2: Tunnel IPv4 / LAN subnet / ESP / AES256 / SHA1 / PFS5pfSense 2.2 / WAN Static IP / LAN: 10.20.30.251/24
Shrew Soft Client / behind a pfSense 2.1 / LAN: 10.27.30.251/24I've already create rules to allow all protocol on wan,lan and ipsec interface…. (not necessary, I know)
setkey -D
93.129.14.20 62.128.115.85 esp mode=tunnel spi=1133534127(0x43905baf) reqid=1(0x00000001) E: rijndael-cbc 234b1565 3c132fe5 4dbb2852 00226f69 2e2cc005 69afdee9 6a6dae7d b0ca2d2a A: hmac-sha1 a1ae239a 277baa0d 95b8376a b394072a a8c5e820 seq=0x00000000 replay=32 flags=0x00000000 state=mature created: Oct 14 21:30:11 2014 current: Oct 14 21:30:34 2014 diff: 23(s) hard: 3600(s) soft: 2592(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=2 pid=51565 refcnt=1 62.128.115.85 93.129.14.20 esp mode=any spi=3416878343(0xcba96d07) reqid=1(0x00000001) E: rijndael-cbc ffd4f217 207506d5 fd1b885e b5a7da35 6f23db1c 79e94d42 58b2fb77 000385b5 A: hmac-sha1 71f401ee bdaace50 ba876af8 faf14c78 ef2190a3 seq=0x00000000 replay=32 flags=0x00000000 state=mature created: Oct 14 21:30:11 2014 current: Oct 14 21:30:34 2014 diff: 23(s) hard: 3600(s) soft: 2653(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=1 pid=51565 refcnt=1 62.128.115.85 93.129.14.20 esp mode=any spi=3303778327(0xc4eba817) reqid=1(0x00000001) seq=0x00000000 replay=0 flags=0x00000000 state=larval sadb_seq=0 pid=51565 refcnt=1
netstat -r
Routing tables Internet: Destination Gateway Flags Netif Expire default 93-129-14-17.rev.i UGS hn0 10.20.30.0 link#6 U hn1 fw20 link#6 UHS lo0 93.129.14.16/29 link#5 U hn0 93-129-14-20.rev.i link#5 UHS lo0 localhost link#3 UH lo0 192.168.44.1 93-129-14-17.rev.i UGHS hn0
ipsec.conf
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="ike 2" conn con1 aggressive = yes fragmentation = yes keyexchange = ikev1 reauth = yes rekey = yes reqid = 1 installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = 93.129.14.20 right = %any leftid = 93.129.14.20 ikelifetime = 28800s lifetime = 3600s rightsourceip = 192.168.44.0/24 rightsubnet = 192.168.44.0/24 leftsubnet = 10.20.30.0/24 ike = aes256-sha1-modp1536! esp = aes256-sha1-modp1536! leftauth = psk rightauth = psk
Any ideas?
-
Try adding a P2 policy for 0.0.0.0/0 and see if Shrew will work then. Shrew can be quite picky about pulling its remote network policies sometimes.
You might also try togging Shrew's option to 'tunnel all' to see if that helps.
-
That was fast.
leftsubnet = 0.0.0.0/0
Works!!!!! Thank you very much.
But I still have no idea why my setup works in 2.1.5 but not in 2.2 :(
-
The IPsec backend changed between 2.1.x and 2.2. On 2.1.x it's racoon, on 2.2 it's strongswan.
The difference is in how racoon sends the network data to shrew compared to how strongswan sends it.