No traffic over p2p shared key tunnel after upgrade to 2.3.4 (coming from 2.2.5)

dvzunderd

Hi,

We finally upgraded to 2.3.x of pfsense and coming from 2.2.5.

Now i have the problem that i the VPN p2p tunnel we had is not working anymore.
When i look at routing (which was opposed in the other forum) this looks ok to me but i cannot even ping the tunnel ip's on both sides.

On the server side i have the following:
Tunnel network ip is 10.0.9.1
Local network is 10.1.12.0/24

routing:
default 192.168.178.1 UGS 40676 1500 fxp0
10.0.9.1 link#11 UHS 0 16384 lo0
10.0.9.2 link#11 UH 656 1500 ovpns4
127.0.0.1 link#8 UH 7122 16384 lo0
192.168.0.0/24 10.0.9.2 UGS 1592 1500 ovpns4
192.168.100.0/24 10.0.9.2 UGS 250 1500 ovpns4

On the client side i have the following:
Tunnel network IP is 10.0.9.2
Local network is 192.168.0.0/24 and 192.168.100.0/24

routing:
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
default        gateway        0.0.0.0        UG    100    0        0 enp5s0
10.0.9.1        0.0.0.0        255.255.255.255 UH    0      0        0 ovpnc2
10.1.12.0      10.0.9.1        255.255.255.0  UG    0      0        0 ovpnc2
192.168.0.0    0.0.0.0        255.255.255.0  U    100    0        0 enp4s1

The VPN tunnel connection is ok.
And firewall let's everything through to these networks.
But when i try to ping on the firewall to 10.0.9.2 i get 100% packet loss
The same on the client for pinging 10.0.9.1.

If i ping the machine it's own tunnel ip it works.

Weird thing is though when looking in the states table i see sometimes states between the two networks.

Config server side:

General information:
Server mode: Peer to Peer (Shared key)
Protocol : UDP
Device mode: tun
interface : <our external="" ip="">local port: 1197

Cryptographic Settings:
Shared Key: <key>Encryption Algorythm : AES-256-CBC (256 bit key, 128 bit bloc)
Auth digest alogithm: SHA1 (160-bit)
Hardware crypto: No hardware….

Tunnel settings
IPv4 Tunnel network: 10.0.9.0/24
IPv4 Remote networks: 192.168.0.0/24,192.168.100.0/24
Compression : No preference
Type of service: not checked
Duplicate connection: not checked
Disable IPv6: checked

Advanced configuration
Custom Options: empty

config client side
dev ovpnc2
dev-type tun
tun-ipv6
#dev-node /dev/tun2
#writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
#script-security 3
#daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
#up /usr/local/sbin/ovpn-linkup
#down /usr/local/sbin/ovpn-linkdown
local 192.168.254.250
lport 0
#management /var/etc/openvpn/client2.sock unix
remote <our external="" ip="">#remote lin.nagios.ca.clicks2customers.com
port 1197
ifconfig 10.0.9.2 10.0.9.1
route 10.1.12.0 255.255.255.0
secret /etc/openvpn/dqna_hq.secret
#secret /etc/openvpn/static_v2.key</our></key></our>

dvzunderd

Ok I can shoot myself.
Found the problem after lots of side testing and not working.

The other side needed a fresh start of the openVPN client  :o  ::).

Got a bit sidetracked by the fact it connects automatically and tunnel seemed to be functional (without traffic).

FOBioPatel

I logged on to my pfSense today and was pretty horrified to see a 502 error page. I didn't want to reboot until I understood the cause. I did have the OpenVPN Widget and IPSec VPN Widget running on the homepage of pfSense. I also changed my firewall logs to show 20 results, show FAIL & REJECT, and refresh every 1 second. Perhaps this was a bit too aggressive. My OpenVPN clients couldn't connect via OpenVPN but IPSec VPN was able to still connect.

As advised earlier, restarting PHP-FPM using the numerical menu options in the pfSense console allowed the OpenVPN tunnels to connect again, and removed the 502 error.

Hope this helps.