Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense vpn seems to be blocking return packets

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jason0
      last edited by

      Hello,

      I have built an ipsec vpn that seems to get connected properly both under macintosh (mountain-lion native) and shrewsoft in windows.  In both cases, I see the connection come up, but I can't actually get traffic to/from my office's lan.

      I have an ip address range assigned to the remote clients.  (172.16.1.0/24) and the vpn client is being assigned addresses out of this pool.

      When I run packet capture on the lan port of pfsense and begin pinging a lan host from my remote vpn client, I see the icmp echo requests leaving the pfsense lan port, AND the echo replies from the lan host.  it appears the replies are not being routed back through the vpn tunnel to the remote client.

      When I ran the same packet capture on the ipsec port of pfsense, I see ONLY the incoming icmp echo requests.

      Both of these details tell me something in pfsense is not making a transition for the response packets.

      the version of pfsense is 2.0.2-release.  I didn't see anything in the release notes that would address this.  I will upgrade this as well.

      looking at my sa entries, one is missing, even though both were created.

      my ipsec logs on pfsense show:
      Jul 12 16:41:09 racoon: [Self]: INFO: IPsec-SA established: ESP 173.164.113.52[500]->184.76.95.119[500] spi=256783623(0xf4e3507)
      Jul 12 16:41:09 racoon: [Self]: INFO: IPsec-SA established: ESP 173.164.113.52[500]->184.76.95.119[500] spi=199263463(0xbe084e7)
      Jul 12 16:41:15 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:41:15 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:41:39 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:41:39 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:41:58 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:41:58 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:42:01 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:42:01 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:42:27 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:42:27 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:42:47 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:42:47 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:42:49 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:42:49 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:43:04 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:43:04 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:43:11 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:43:11 racoon: ERROR: failed to begin ipsec sa negotication.
      Jul 12 16:43:34 racoon: ERROR: no configuration found for 184.76.95.119.
      Jul 12 16:43:34 racoon: ERROR: failed to begin ipsec sa negotication.

      Does this make sense to anyone?  I would love your input…

      --jason

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        There is a known issue with that on 2.0.3. The 2.1 release is so close that we aren't going to release a 2.0.4 to fix it. You could update to a 2.1 snapshot and it should work there, so long as you have all of the settings exactly as they are on the wiki: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jason0
          last edited by

          Wow: I think I will check out the release candidate then!

          –jason

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.