IPSec Not Being Shaped?
-
We have two ipsec connections to two different datacenters. I configured the traffic shaper using the wizard and told it to give ipsec a "higher priority" which created 3 floating rules for ipsec. However, it doesn't appear ipsec is being shaped, as the states/bytes have been at 0/0 for days now. They stay at 0/0, even if I transfer a large file across the ipsec link.
Any idea why or where I can start to troubleshoot this?
-
It seems like your firewall rule is not catching the correct traffic. Confirm that first.
-
It seems like your firewall rule is not catching the correct traffic. Confirm that first.
That is what I believe, but I can't figure out why. The only ipsec rules are the floating rules the wizard created. I don't have any other rule that would override the ipsec rules,nor the source or destination IPs of the ipsec endpoints.
Here are the floating rules that were created:
0/26 KiB IPv4 UDP * * * 500 (ISAKMP) * qOthersHigh m_Other IPSEC outbound 0/26 KiB IPv4 AH * * * * * qOthersHigh m_Other IPSEC outbound 0/26 KiB IPv4 ESP * * * * * qOthersHigh m_Other IPSEC outbound
It looks like it caught a tiny amount of something. 26KiB. But the vast majority of our traffic goes across this VPN. My ipsec firewall rule (on the ipsec tab) is showing 450MB of data transferred since I reboot the firewall immediately after my original post.
Here is my ipsec tab rule:
39/438.24 MiB IPv4 * * * * * * none Allow All
-
What states does Diagnostics > States show if you filter on the remote VPN endpoint?
-
What states does Diagnostics > States show if you filter on the remote VPN endpoint?
It's a pfSense firewall in our datacenter, so there will be 10's of thousands of entries. Can I answer the question by filtering on the source IP of the local VPN endpoint I am trying to shape?
If so, I suspect this is what you're looking for:
WAN esp remote.endpoint.ip -> local.endpoint.ip MULTIPLE:MULTIPLE 1.338053 M / 1.131157 M 835.26 MiB / 390.13 MiB WAN udp local.endpoint.ip:500 -> remote.endpoint.ip:500 MULTIPLE:MULTIPLE 2 / 2 656 B / 576 B
Sorry, I misunderstood. The above is Diagnostic - States from the remote endpoint. Here is the output of what you asked from my local endpoint:
CMP esp local.endpoint.ip -> remote.endpoint.ip MULTIPLE:MULTIPLE 1.137951 M / 1.339614 M 393.17 MiB / 835.89 MiB
Interesting, there is no corresponding UDP/500 entry like on the remote endpoint?
-
What interfaces and directions are set on those floating rules?
-
What interfaces and directions are set on those floating rules?
Interface is CMP/TWC (my two WAN interfaces).
Direction is "any." -
Traffic within the tunnel is seen in and out of the "IPsec" interface as far as the shaper goes, not your WANs.
The wizard is completely broken, I would suggest to configure everything manually.
Best regards!