Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Half ipsec tunnel

    Scheduled Pinned Locked Moved IPsec
    7 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      covex
      last edited by

      need help or i'll go mad here
      i have ho and 8 locations all on pfsense 2.2.2 or 2.2. everything is working ok so far but one location. ipsec tunnel there is working only half way. from that location we can rdp or radmin into ho pcs and servers but from ho to that location we can't even ping anything. we tried different firewall boxes with pfsense 2.1.3, 2.1.5, 2.2 and 2.2.2. same result. it says tunnel is established on both ends but traffic is going 1 way only, from remote to ho.
      there 2 more ipsec tunnels from this remote to other remotes and they doing the same thing, letting traffic only one way

      this is whats in the ipsec log

      Apr 24 16:37:08 	ipsec_starter[5766]:
Apr 24 16:37:12 	charon: 15[KNL] creating acquire job for policy 96.xxx.xxx.xxx/32|/0 === 72.xxx.xxx.xxx/32|/0 with reqid {1}
Apr 24 16:37:12 	charon: 15[IKE] <con1000|13>initiating Main Mode IKE_SA con1000[13] to 72.xxx.xxx.xxx
Apr 24 16:37:12 	charon: 15[IKE] initiating Main Mode IKE_SA con1000[13] to 72.xxx.xxx.xxx
Apr 24 16:37:12 	charon: 15[ENC] generating ID_PROT request 0 [ SA V V V V V V ]
Apr 24 16:37:12 	charon: 15[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (196 bytes)
Apr 24 16:37:12 	charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (176 bytes)
Apr 24 16:37:12 	charon: 13[ENC] parsed ID_PROT response 0 [ SA V V V V V ]
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>received XAuth vendor ID
Apr 24 16:37:12 	charon: 13[IKE] received XAuth vendor ID
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>received DPD vendor ID
Apr 24 16:37:12 	charon: 13[IKE] received DPD vendor ID
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>received Cisco Unity vendor ID
Apr 24 16:37:12 	charon: 13[IKE] received Cisco Unity vendor ID
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>received FRAGMENTATION vendor ID
Apr 24 16:37:12 	charon: 13[IKE] received FRAGMENTATION vendor ID
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>received NAT-T (RFC 3947) vendor ID
Apr 24 16:37:12 	charon: 13[IKE] received NAT-T (RFC 3947) vendor ID
Apr 24 16:37:12 	charon: 13[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 24 16:37:12 	charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (244 bytes)
Apr 24 16:37:12 	charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (244 bytes)
Apr 24 16:37:12 	charon: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 24 16:37:12 	charon: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
Apr 24 16:37:12 	charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (68 bytes)
Apr 24 16:37:12 	charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (68 bytes)
Apr 24 16:37:12 	charon: 13[ENC] parsed ID_PROT response 0 [ ID HASH ]
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>IKE_SA con1000[13] established between 96.xxx.xxx.xxx[96.xxx.xxx.xxx]...72.xxx.xxx.xxx[72.xxx.xxx.xxx]
Apr 24 16:37:12 	charon: 13[IKE] IKE_SA con1000[13] established between 96.xxx.xxx.xxx[96.xxx.xxx.xxx]...72.xxx.xxx.xxx[72.xxx.xxx.xxx]
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>scheduling reauthentication in 28238s
Apr 24 16:37:12 	charon: 13[IKE] scheduling reauthentication in 28238s
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>maximum IKE_SA lifetime 28778s
Apr 24 16:37:12 	charon: 13[IKE] maximum IKE_SA lifetime 28778s
Apr 24 16:37:12 	charon: 13[ENC] generating QUICK_MODE request 1228258463 [ HASH SA No KE ID ID ]
Apr 24 16:37:12 	charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (308 bytes)
Apr 24 16:37:12 	charon: 13[NET] received packet: from 72.xxx.xxx.xxx[500] to 96.xxx.xxx.xxx[500] (308 bytes)
Apr 24 16:37:12 	charon: 13[ENC] parsed QUICK_MODE response 1228258463 [ HASH SA No KE ID ID ]
Apr 24 16:37:12 	charon: 13[IKE] <con1000|13>CHILD_SA con1000{1} established with SPIs c0165756_i c2211b84_o and TS 192.200.23.0/24|/0 === 192.168.31.0/24|/0
Apr 24 16:37:12 	charon: 13[IKE] CHILD_SA con1000{1} established with SPIs c0165756_i c2211b84_o and TS 192.200.23.0/24|/0 === 192.168.31.0/24|/0
Apr 24 16:37:12 	charon: 13[ENC] generating QUICK_MODE request 1228258463 [ HASH ]
Apr 24 16:37:12 	charon: 13[NET] sending packet: from 96.xxx.xxx.xxx[500] to 72.xxx.xxx.xxx[500] (60 bytes)</con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13></con1000|13>

      it just sits there. connection works only one way

      help?

      bump

      upd: i can connect to this remote router from the ho using routers lan address, but i cant ping or radming to anything on that network from ho

      1 Reply Last reply Reply Quote 0
      • K
        kapara
        last edited by

        Does the unit have a IPsec rule allowing all traffic to pass?

        Skype ID:  Marinhd

        1 Reply Last reply Reply Quote 0
        • C
          covex
          last edited by

          yes, and according to all diagnostics the tunnel is established successfully

          1 Reply Last reply Reply Quote 0
          • K
            kapara
            last edited by

            i would recommend posting screenshots of your 2 configurations of P1 and P2.  Also not sure if it is needed but I usually disable NAT-T and DPD unless something specifically requires it.

            Skype ID:  Marinhd

            1 Reply Last reply Reply Quote 0
            • dotdashD
              dotdash
              last edited by

              Firewall is the default route at the HO? No router/L3 switch?

              1 Reply Last reply Reply Quote 0
              • C
                covex
                last edited by

                i think my issue is related to the problem when u update to 2.2.2 from 2.1.x and some files lose  their user:group setting(it's been discussed in anther thread here).
                after applying "cd / && chown root:wheel /*" command and restarting the firewall different parts of it are still not functioning as they should.
                for example, i can't connect to the wan address of the firewall even if i'm trying to connect from the public address that is set in the firewall as "allowed". i had to delete a rule that allows that connection and aliases that contained all public address from which the connection was allowed. after i recreated the rule and alias i can connect to the firewall again.
                looks like something is broken in vpn routing here too.

                1 Reply Last reply Reply Quote 0
                • J
                  jmesser
                  last edited by

                  not exactly sure what happened for me, but when i upgraded from 2.2.1 to 2.2.2 half of my ipsec tunnel collapsed. i could still get to the SQL server at our hosting company with SQL management studio, but could not reach the other server there even with pings.  I ended up rolling back to the old version and everything works again. =/.  i apologize, i do not have any logs or screen shots from the failures. there were charon errors though, i do recall that. not being able to find a file or directory or something.  seeing this post made me wonder if it was this issue.

                  oh. looks like its that same bug a lot of others are having with multiple P2 entries. I have two P2 entries.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.