IPSEC to CradlePoint...Tunnel Established But No Ping
-
Ok, i removed the cradlepoint from their remote management service, which allowed me to discover a firmware upgrade. It looks like it is now using strongswan instead of racoon. It gives me new info, but no new progress:
Tunnel
Tunnel Office_To_Colo (00000000-bb2b-3f16-b8bd-c1264651d390) enabled: True dead_peer_timeout: 27 state: up Connection (00000000-bb2b-3f16-b8bd-c1264651d390) version: IKEv1 local: ['xx.xx.xx.37'] remote: ['yy.yy.yy.130'] Child Configuration (00000000-bb2b-3f16-b8bd-c1264651d390) mode: TUNNEL local_ts: ['192.168.0.0/24[17]'] remote_ts: ['10.1.1.0/24[17]'] IKE SA (00000000-bb2b-3f16-b8bd-c1264651d390) state: ESTABLISHED version: IKEv1 algorithms: AES_CBC, PRF_HMAC_SHA1, MODP_1024 local: xx.xx.xx.37:500 remote: yy.yy.yy.130:500 lifetime_seconds: 635 of 80121 Child SA (00000000-bb2b-3f16-b8bd-c1264651d390-15) state: INSTALLED algorithms: AES_CBC, HMAC_MD5_96, MODP_1024 local_ts: ['192.168.0.0/24[17]'] remote_ts: ['10.1.1.0/24[17]'] lifetime_seconds: 635 of 43200 data_in: 0 / 0 data_out: 0 / 0 spi_in: c51d4c3a spi_out: cf0e7bb3SPDs:
"src 192.168.0.0/24 dst 10.1.1.0/24 proto 17 dir out priority 375167 tmpl src xx.xx.xx.37 dst yy.yy.yy.130 proto esp spi 0xcf0e7bb3 reqid 7 mode tunnel src 10.1.1.0/24 dst 192.168.0.0/24 proto 17 dir fwd priority 375167 tmpl src yy.yy.yy.130 dst xx.xx.xx.37 proto esp reqid 7 mode tunnel src 10.1.1.0/24 dst 192.168.0.0/24 proto 17 dir in priority 375167 tmpl src yy.yy.yy.130 dst xx.xx.xx.37 proto esp reqid 7 mode tunnel" "src xx.xx.xx.37 dst yy.yy.yy.130 proto esp spi 0xcf0e7bb3 reqid 7 mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(md5) 0x9556afb101bf2619229173f0dfa17a38 96 enc cbc(aes) 0xb1c0cc12fa2f2ee6417a410aa5b04ca2 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src yy.yy.yy.130 dst xx.xx.xx.37 proto esp spi 0xc51d4c3a reqid 7 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x5d055d62880f2f086755883b9ff6a247 96 enc cbc(aes) 0x7c56d223f52691b85d19a918d18c564f anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000"SADs
"src 192.168.0.0/24 dst 10.1.1.0/24 proto 17 dir out priority 375167 tmpl src xx.xx.xx.37 dst yy.yy.yy.130 proto esp spi 0xcf0e7bb3 reqid 7 mode tunnel src 10.1.1.0/24 dst 192.168.0.0/24 proto 17 dir fwd priority 375167 tmpl src yy.yy.yy.130 dst xx.xx.xx.37 proto esp reqid 7 mode tunnel src 10.1.1.0/24 dst 192.168.0.0/24 proto 17 dir in priority 375167 tmpl src yy.yy.yy.130 dst xx.xx.xx.37 proto esp reqid 7 mode tunnel" "src xx.xx.xx.37 dst yy.yy.yy.130 proto esp spi 0xcf0e7bb3 reqid 7 mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(md5) 0x9556afb101bf2619229173f0dfa17a38 96 enc cbc(aes) 0xb1c0cc12fa2f2ee6417a410aa5b04ca2 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src yy.yy.yy.130 dst xx.xx.xx.37 proto esp spi 0xc51d4c3a reqid 7 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(md5) 0x5d055d62880f2f086755883b9ff6a247 96 enc cbc(aes) 0x7c56d223f52691b85d19a918d18c564f anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000" -
still trying to figure this out...
Can anybody tell me about the life vs install counter?:
-
First, uncheck Disable re-key on the Phase 1 and try again.
From those counters it's pretty obvious you are sending traffic out the tunnel but nothing is coming back.
-
@derelict, ok unchecked disable rekey.
Not sure why there was no inbound in that screenshot: There is now but still can't get a ping:
-
Exactly what are you pinging from where? IP addresses please.
-
the internal networks from both sides:
10.1.1.1 (pfsense lan ip) from 192.168.0.2 (cradlepoint lan ip) (and vice versa)
192.168.0.2 from 10.1.1.2 (server using pfsense as gateway) (and vice versa)
192.168.0.147 (static route added for 10.1.1.0 via 192.168.0.2) from 10.1.1.2 (and vice versa) -
Are you policy routing (gateways set on rules) on the 10.1.1.X interface?
If you are testing pings from the firewall are you positive you are sourcing from an interesting address/interface on the local side of the tunnel?
-
I'm not sure I know how to answer that...I'm not using VTI if that is what you mean. My assumption (forgive my limited knowledge) is that traffic will be routed over the tunnel based on the networks specified in the phase 2 parameters. Is this not correct? Let me put it this way...I've followed half a dozen pfsense standard tunnel ipsec tutorials looking for any steps related to routing that I may have missed and they are all the same...just getting the p1/p2 params to match and adding the rule to allow ipsec traffic.
I'm testing from everywhere. I did find a section in the pfsense book about adding a "fake" route and gateway for the sake of pinging right from pfsense, but that didn't help.
https://portal.pfsense.org/docs/book/ipsec/site-to-site.html#pfsense-initiated-traffic-and-ipsec
However, i continue to try from both the pfsense, cradlepoint, and other servers just to make sure it's not working in one place but not others.
-
Looking for the reason the traffic is going out WAN. In general that means:
- You are policy routing on the LAN interface so the traffic is being told to go a particular direction and is not caught by the IPsec traffic selectors.
- You are testing sourcing from an address that is not included in the traffic selectors. This is common when you use Diagnostics > Ping on the firewall and don't set LAN as the source interface, etc.
I am just going on what you said here:
One odd thing to me is that packet capture shows ping leaving WAN interface, instead of ipsec interface.
-
Yeah, that was probably before I understood the fluke with traffic originating from the pfsense itself (i only bought the gold/book today). I just ran another ping from a server and do see the traffic on the ipsec interface in the packet capture.
-
If there is no response you need to look at the other side.
-
yeah, i agree. I just discovered that the firmware upgrade on the cradlepoint gave me a similar packet capture functionality, and I can see the inbound ICMP packets.
Thank you much for helping me get this far.
-
ok, this is comical...deleted the tunnel off the cradelpoint, recreated it, and now it works. I know I've tried that before, but maybe, that in combination with the firmware upgrade fixed it.
-
Glad you got it working. Thanks for letting us know.
