IPsec tunnel problem with 2.1.5 and 2.2rc
-
This happens even when you are initiator?
I belive your other side is coming on your other interface while you expect it on WAN?
-
I think this end is initiator and responder, b/c the other side opens the tunnels as well.
BTW I already did a packettrace on the "other" interface to see if there's traffic (UDP&port 500) coming or going.
Nothing !
But I can check the other Pfs 2.1.5 tomorrow.
I deliberately change the tunnel to this other IF and check the the dyn address points to the correct IP and IF. -
Update:
Just check the 2.1.5 side and no packets go to the wrong Public IF of the 2.2. -
Updated and still same tunnnel problems ?
2.2-RC (amd64)
built on Fri Jan 16 11:53:08 CST 2015@Ermal: Do you think my NAT & Firewall Rules are ok on the WAN IF ?
-
What NAT again? You've already been told you cannot NAT IPsec.
-
::)
Outbound NAT:
Automatic Rules.And pls let me know where I was told to "not NAT IPsec" ?
-
And BTW a just captured packets on my WAN and could see ISAKMP (Main Mode) going forth and back between both pfsenses.
-
And pls let me know where I was told to "not NAT IPsec" ?
https://forum.pfsense.org/index.php?topic=86590.msg475029#msg475029
-
@doktornotor: Checking my reply, I said I remove "any NAT rules" meaning the ones I manually created !
But as known, the "Automatic Outbound NAT rules" persist due the mode !
So I'm pretty sure that if config is correctly interpreted by pfSense no manual rule should interfere.But my Question was if any of the other inbound rules could interfere with VPN ?
Do you have an answer for this ? -
The automatic outbound NAT rules won't hurt anything with IPsec.
For inbound, if you have a port forward on UDP 500 or ESP traffic, that'll break it also. If you have a 1:1 NAT using the public IP where it terminates, that'll forward the traffic to an internal host and break things as well.
-
Hmm, thanks, but I can't find any inbound NATs with 500.
Maybe we should look at it using our old support contract ? -
Maybe we should look at it using our old support contract ?
Commercial support is definitely the best answer. Your support expired over 5 years ago though, if you purchase to activate support on your account again, we can definitely assist.
-
I'll pm you on this, ok ?