Pfsense vpn seems to be blocking return packets

jason0

Hello,

I have built an ipsec vpn that seems to get connected properly both under macintosh (mountain-lion native) and shrewsoft in windows.  In both cases, I see the connection come up, but I can't actually get traffic to/from my office's lan.

I have an ip address range assigned to the remote clients.  (172.16.1.0/24) and the vpn client is being assigned addresses out of this pool.

When I run packet capture on the lan port of pfsense and begin pinging a lan host from my remote vpn client, I see the icmp echo requests leaving the pfsense lan port, AND the echo replies from the lan host.  it appears the replies are not being routed back through the vpn tunnel to the remote client.

When I ran the same packet capture on the ipsec port of pfsense, I see ONLY the incoming icmp echo requests.

Both of these details tell me something in pfsense is not making a transition for the response packets.

the version of pfsense is 2.0.2-release.  I didn't see anything in the release notes that would address this.  I will upgrade this as well.

looking at my sa entries, one is missing, even though both were created.

my ipsec logs on pfsense show:
Jul 12 16:41:09 racoon: [Self]: INFO: IPsec-SA established: ESP 173.164.113.52[500]->184.76.95.119[500] spi=256783623(0xf4e3507)
Jul 12 16:41:09 racoon: [Self]: INFO: IPsec-SA established: ESP 173.164.113.52[500]->184.76.95.119[500] spi=199263463(0xbe084e7)
Jul 12 16:41:15 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:41:15 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:41:39 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:41:39 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:41:58 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:41:58 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:42:01 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:42:01 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:42:27 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:42:27 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:42:47 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:42:47 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:42:49 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:42:49 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:43:04 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:43:04 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:43:11 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:43:11 racoon: ERROR: failed to begin ipsec sa negotication.
Jul 12 16:43:34 racoon: ERROR: no configuration found for 184.76.95.119.
Jul 12 16:43:34 racoon: ERROR: failed to begin ipsec sa negotication.

Does this make sense to anyone?  I would love your input…

--jason

jimp

There is a known issue with that on 2.0.3. The 2.1 release is so close that we aren't going to release a 2.0.4 to fix it. You could update to a 2.1 snapshot and it should work there, so long as you have all of the settings exactly as they are on the wiki: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

jason0

Wow: I think I will check out the release candidate then!

–jason