Half ipsec tunnel
-
need help or i'll go mad here
i have ho and 8 locations all on pfsense 2.2.2 or 2.2. everything is working ok so far but one location. ipsec tunnel there is working only half way. from that location we can rdp or radmin into ho pcs and servers but from ho to that location we can't even ping anything. we tried different firewall boxes with pfsense 2.1.3, 2.1.5, 2.2 and 2.2.2. same result. it says tunnel is established on both ends but traffic is going 1 way only, from remote to ho.
there 2 more ipsec tunnels from this remote to other remotes and they doing the same thing, letting traffic only one waythis is whats in the ipsec log
Apr 24 16:37:08 ipsec_starter[5766]: Apr 24 16:37:12 charon: 15[KNL] creating acquire job for policy 96.xxx.xxx.xxx/32|/0 === 72.xxx.xxx.xxx/32|/0 with reqid {1} Apr 24 16:37:12 charon: 15[IKE] <con1000|13>initiating Main Mode IKE_SA con1000[13] to 72.xxx.xxx.xxx Apr 24 16:37:12 charon: 15[IKE] initiating Main Mode IKE_SA con1000[13] to 72.xxx.xxx.xxx Apr 24 16:37:12 charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V V V ] Apr 24 16:37:12 charon: 15[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (196 bytes) Apr 24 16:37:12 charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (176 bytes) Apr 24 16:37:12 charon: 13[ENC] parsed ID_PROT response 0 [ SA V V V V V ] Apr 24 16:37:12 charon: 13[IKE] <con1000|13>received XAuth vendor ID Apr 24 16:37:12 charon: 13[IKE] received XAuth vendor ID Apr 24 16:37:12 charon: 13[IKE] <con1000|13>received DPD vendor ID Apr 24 16:37:12 charon: 13[IKE] received DPD vendor ID Apr 24 16:37:12 charon: 13[IKE] <con1000|13>received Cisco Unity vendor ID Apr 24 16:37:12 charon: 13[IKE] received Cisco Unity vendor ID Apr 24 16:37:12 charon: 13[IKE] <con1000|13>received FRAGMENTATION vendor ID Apr 24 16:37:12 charon: 13[IKE] received FRAGMENTATION vendor ID Apr 24 16:37:12 charon: 13[IKE] <con1000|13>received NAT-T (RFC 3947) vendor ID Apr 24 16:37:12 charon: 13[IKE] received NAT-T (RFC 3947) vendor ID Apr 24 16:37:12 charon: 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] Apr 24 16:37:12 charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (244 bytes) Apr 24 16:37:12 charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (244 bytes) Apr 24 16:37:12 charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] Apr 24 16:37:12 charon: 13[ENC] generating ID_PROT request 0 [ ID HASH ] Apr 24 16:37:12 charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (68 bytes) Apr 24 16:37:12 charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (68 bytes) Apr 24 16:37:12 charon: 13[ENC] parsed ID_PROT response 0 [ ID HASH ] Apr 24 16:37:12 charon: 13[IKE] <con1000|13>IKE_SA con1000[13] established between 96.xxx.xxx.xxx[96.xxx.xxx.xxx]...72.xxx.xxx.xxx[72.xxx.xxx.xxx] Apr 24 16:37:12 charon: 13[IKE] IKE_SA con1000[13] established between 96.xxx.xxx.xxx[96.xxx.xxx.xxx]...72.xxx.xxx.xxx[72.xxx.xxx.xxx] Apr 24 16:37:12 charon: 13[IKE] <con1000|13>scheduling reauthentication in 28238s Apr 24 16:37:12 charon: 13[IKE] scheduling reauthentication in 28238s Apr 24 16:37:12 charon: 13[IKE] <con1000|13>maximum IKE_SA lifetime 28778s Apr 24 16:37:12 charon: 13[IKE] maximum IKE_SA lifetime 28778s Apr 24 16:37:12 charon: 13[ENC] generating QUICK_MODE request 1228258463 [ HASH SA No KE ID ID ] Apr 24 16:37:12 charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (308 bytes) Apr 24 16:37:12 charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (308 bytes) Apr 24 16:37:12 charon: 13[ENC] parsed QUICK_MODE response 1228258463 [ HASH SA No KE ID ID ] Apr 24 16:37:12 charon: 13[IKE] <con1000|13>CHILD_SA con1000{1} established with SPIs c0165756_i c2211b84_o and TS 192.200.23.0/24|/0 === 192.168.31.0/24|/0 Apr 24 16:37:12 charon: 13[IKE] CHILD_SA con1000{1} established with SPIs c0165756_i c2211b84_o and TS 192.200.23.0/24|/0 === 192.168.31.0/24|/0 Apr 24 16:37:12 charon: 13[ENC] generating QUICK_MODE request 1228258463 [ HASH ] Apr 24 16:37:12 charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (60 bytes)</con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13>
it just sits there. connection works only one way
help?
bump
upd: i can connect to this remote router from the ho using routers lan address, but i cant ping or radming to anything on that network from ho
-
Does the unit have a IPsec rule allowing all traffic to pass?
-
yes, and according to all diagnostics the tunnel is established successfully
-
i would recommend posting screenshots of your 2 configurations of P1 and P2. Also not sure if it is needed but I usually disable NAT-T and DPD unless something specifically requires it.
-
Firewall is the default route at the HO? No router/L3 switch?
-
i think my issue is related to the problem when u update to 2.2.2 from 2.1.x and some files lose their user:group setting(it's been discussed in anther thread here).
after applying "cd / && chown root:wheel /*" command and restarting the firewall different parts of it are still not functioning as they should.
for example, i can't connect to the wan address of the firewall even if i'm trying to connect from the public address that is set in the firewall as "allowed". i had to delete a rule that allows that connection and aliases that contained all public address from which the connection was allowed. after i recreated the rule and alias i can connect to the firewall again.
looks like something is broken in vpn routing here too. -
not exactly sure what happened for me, but when i upgraded from 2.2.1 to 2.2.2 half of my ipsec tunnel collapsed. i could still get to the SQL server at our hosting company with SQL management studio, but could not reach the other server there even with pings. I ended up rolling back to the old version and everything works again. =/. i apologize, i do not have any logs or screen shots from the failures. there were charon errors though, i do recall that. not being able to find a file or directory or something. seeing this post made me wonder if it was this issue.
oh. looks like its that same bug a lot of others are having with multiple P2 entries. I have two P2 entries.