New VPN - no traffic

Bladman

Hi,

I have setup an VPN connection from a pFsense box to a Cisco 2811 using this guide:
https://doc.pfsense.org/index.php/IPsec_between_pfSense_and_Cisco_IOS

According to the logs from pfSense, the tunnel is up and running (green icon in IPSec status).
I have tried several things, like adding routes, but I an unable to ping from the one network to the other (nor from Site A nor from Site B). I have also set pFsense to allow all traffic through the IPSec tunnel. Performing a tracert leads to nothing, the trace just stops at the LAN IP's on both sides.

This is the setup:

Site A
192.168.90.x -> Cisco 2811 -> Internet
Site B
192.168.40.x -> pFsense box -> FritzBox router, with the pFsense in DMZ and ESP + GRE forwarded -> Internet

In between I have setup the IPSec tunnel, according to the logs the IPSEC SA has been setup. I can post detailed config and log files later today.

What am I missing here?

Bladman

I'm running pFsense NanoBSD 512 image.
The 2811 has a running GRE IPSEC tunnel to another site, which works perfectly.

The pFsense box logs say:

Mar 21 19:39:55 racoon: INFO: @(#)ipsec-tools 0.8.1 (http://ipsec-tools.sourceforge.net)
Mar 21 19:39:55 racoon: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
Mar 21 19:39:55 racoon: INFO: Reading configuration from "/var/etc/ipsec/racoon.conf"
Mar 21 19:39:55 racoon: [Self]: INFO: 192.168.40.1[4500] used for NAT-T
Mar 21 19:39:55 racoon: [Self]: INFO: 192.168.40.1[4500] used as isakmp port (fd=9)
Mar 21 19:39:55 racoon: [Self]: INFO: 192.168.40.1[500] used for NAT-T
Mar 21 19:39:55 racoon: [Self]: INFO: 192.168.40.1[500] used as isakmp port (fd=10)
Mar 21 19:39:55 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 21 19:39:58 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 21 19:39:59 racoon: INFO: unsupported PF_KEY message REGISTER
Mar 21 19:40:10 racoon: INFO: IPsec-SA request for <public ip="" site="" a="">queued due to no phase1 found.
Mar 21 19:40:10 racoon: [Self]: INFO: initiate new phase 1 negotiation: 192.168.178.92[500]<=><public ip="" site="" a="">[500]
Mar 21 19:40:10 racoon: INFO: begin Identity Protection mode.
Mar 21 19:40:10 racoon: INFO: received Vendor ID: CISCO-UNITY
Mar 21 19:40:10 racoon: INFO: received Vendor ID: DPD
Mar 21 19:40:10 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Mar 21 19:40:11 racoon: [Self]: INFO: ISAKMP-SA established 192.168.178.92[500]-<public ip="" site="" a="">[500] spi:7f23c9eb11dc6a11:773157e991290474
Mar 21 19:40:11 racoon: [Self]: INFO: initiate new phase 2 negotiation: 192.168.178.92[500]<=><public ip="" site="" a="">[500]
Mar 21 19:40:11 racoon: INFO: received RESPONDER-LIFETIME: 4608000 kbytes
Mar 21 19:40:11 racoon: WARNING: attribute has been modified.
Mar 21 19:40:12 racoon: [Self]: INFO: IPsec-SA established: ESP 192.168.178.92[500]-><public ip="" site="" a="">[500] spi=90231023(0x560d0ef)
Mar 21 19:40:12 racoon: [Self]: INFO: IPsec-SA established: ESP 192.168.178.92[500]-><public ip="" site="" a="">[500] spi=3197295109(0xbe92da05)

Which looks to me that the tunnel has been brought up just fine.

I can't put any traffic over the tunnel nor from Site A to B nor from Site B to A.
Any suggestions?</public></public></public></public></public></public>

doktornotor

Did you set up firewall rules on the IPsec tab?

Bladman

On the IPSec tab I have added this rule:

IPv4 * * * * * * none

Unfortunately, this doesn't solve the problem..

Guest

I lately had repeated problems with IPsec tunnel (well doing over months), that after the provider did some "service" the tunnel was not functional (no ping, no data passing) for some hours, although the tunnel was successfully established according to racoon protocolls on BOTH sides.

Strange, strange, maybe NSA had no capacity to handle more man-in-the-middle? :)