[SOLVED]IPSec problem

Hugovsky

I'm having some problems with ipsec in 2.4. With a clean install, I've created manually one site-to-site tunnel that was working previously, with 2.3.3. I can establish communication but can't ping and no traffic with old firewall rules. The only way I can ping remote is if I put the "all to all" generic rule in ipsec interface. But, if I do that, I get strange ips and protocols in states. Can't understand what's happening.

I've tried with the latest (today) beta. Hardware is A1SRi-2558 with 16GB connected thru fiber. No pppoe.

states.jpg_thumb

sgw

Same issue like https://forum.pfsense.org/index.php?topic=123892.0 ?

Hugovsky

Not really. Although I have "route: writing to routing socket: Invalid argument" is something else, and disappears when I disable one of my IPSec Tunnels (net2net).

But this is different. My problem are those ips that are showing. Where are they coming from? Why I can't ping remote and with 2.3.3 I can?

Hugovsky

After further investigation, it seems to be this issue:

https://forum.pfsense.org/index.php?topic=117827.0

and

https://redmine.pfsense.org/issues/6937
https://redmine.pfsense.org/issues/7015

EDIT: those ip only show up when ipsec vpn on remote is from behind NAT.

sgw

I don't use mobile IPSEC and my WAN is not behind (my) NAT … afaik. ???

I don't mind running 2.4 so far, I am happy with 2.3.3 on my APU but the netgate SG-1000 came with 2.4 beta ...

Hugovsky

I'm reverting back to 2.3.3 until IPSec is usable. ZFS and freebsd 11 would be nice to have though. But I can wait. No problem.

sgw

I also can wait. Just want to avoid the hassle of reinstalling on SG-1000 as long as I can.
My plan: plug in and upgrade the SG-1000 every few days and see if patches roll in ;)

latest update does not fix the issue, I also rechecked that floating "sloppy" rule, does not work for me.

sgw

@Hugovsky:

https://redmine.pfsense.org/issues/6937
https://redmine.pfsense.org/issues/7015

Both bugs fixed by devs, installed today's update and IPSEC now works for me on 2.4beta with the SG-1000.
I also removed that sloppy firewall rule, btw

Hugovsky

Awesome. Thanks for the report.

Hugovsky

My problem are gone with latest snapshot. Thanks PFSENSE Team!

sgw

@Hugovsky:

My problem are gone with latest snapshot. Thanks PFSENSE Team!

thanks from me as well ;)