Problems with IPsec vpn between pfSense and Oracle Cloud Infrastructure
-
I am new to the pfSense world and am experiencing in establishing a vpn tunnel.
My network: 192.168.1.0/24 - 111.111.111.111 my external ip
Destination network: 10.72.0.0/16 - 222.222.222.222 external destination ip
In pfSense and in OCI the vpn tunnel appears as up.
I see traffic on the outbound and no traffic on the inbound.
WAN, LAN, and IPSEC rules were created to ensure communication between both sides.
I have doubts about creating the routes to allow the communication of my internal network to the internal network of the destination. In Diagnostics / Routes I see a route from ip 222.222.222.222 to 111.111.111.111 but no route appears between the internal networks.
Could you help me?
Thank you. -
IPsec does not work like that (yet. VTI IPsec coming in 2.4.4 does).
You create a "Phase 2" entry for:
Local: 192.168.1.0/24
Remote: 10.72.0.0/16If that comes up, it establishes kernel traffic selectors that put matching traffic through IPsec.
Status > IPsec, SPDs will show them.
-
Thank you for help.
My question is regarding the rules for establishing communication after the ipsec tunnel is established and how do I monitor traffic?
On the other side I asked the logs to try to identify if the internal network communication 192.168.1.0/24 is being blocked.
Thank you again. -
Firewall rules on IPsec govern connections originating from the other side of the IPsec tunnels.
Firewall rules on the local interfaces govern connections coming into the firewall from the hosts connected there.
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-basics.html
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-troubleshooting.html
https://www.netgate.com/docs/pfsense/book/firewall/troubleshooting-firewall-rules.html
As for "Monitoring" that is a fairly generic term. What are you actually looking to do?
-
@derelict said in Problems with IPsec vpn between pfSense and Oracle Cloud Infrastructure:
As for "Monitoring" that is a fairly generic term. What are you actually looking to do?
I'm trying to identify on which side is the problem.
If it is some configuration in pfSense or OCI.
I performed some tests as a tracert and did not succeed when I ran the tracert from a workstation on the 192.168.1.0/24 network.
On the other hand was informed that I could try to access via remote desktop to a certain ip on the internal network 10.72.0.0/16.
Both tests failed.
The phase 2 setup is the same as the one you set.
Thank you for your help. -
You can packet capture on the IPsec interface (enc0) to see if pings are going out, replies are being received, etc.
-
Thanks for your help.
The client said that analyzing the logs and with a similar problem they had with a PaloAlto solution is necessary to include a new remote network 0.0.0.0/0.
I need help to do this procedure, because when I try to create a network there is no / 0 option. Can you help me?Security Parameter Index
The Oracle Cloud Infrastructure VPN headends use next-hop-based tunnels. When you create a new IPSec connection, you specify a list of IPv4 networks that should be routed from your dynamic routing gateway (DRG) through the IPSec tunnel to your CPE.
Oracle IPSec ProxyIDs
local=0.0.0.0/0
remote=0.0.0.0/0
service=anyhttps://docs.cloud.oracle.com/iaas/Content/Network/Reference/genericCPE.htm
-
Site-to-site tunnels to 0.0.0.0/0 will catch all traffic from the source network including traffic to the internet. I would not recommend doing that, and it is doubtful Oracle cloud IPsec requires it.
If the networks in your Phase 2 are the problem, that will show in the IPsec logs. Check the log settings )VPN> IPsec, Advanced) and be sure that IKE SA, IKE Child SA, and Configuration Backend are set to Diag. Everything else can be Control.
Look at where it is failing and compare with this:
https://www.netgate.com/docs/pfsense/vpn/ipsec/ipsec-troubleshooting.html
Or, of course, you can post the logs here.
When you create a new IPSec connection, you specify a list of IPv4 networks that should be routed from your dynamic routing gateway (DRG) through the IPSec tunnel to your CPE.
Right. All of those routed networks should be specified as Local Networks in Phase 2 entries on your side. The Cloud CIDR should be the Remote Network for all of them.
-
LogPart1
LogPart2
LogPart3
LogPart4
LogPart5
LogPart6
IPSEC
IPSEC RULES
NATOUTBOUND
RULES WAN
STATE FILTER
STATIC RULESMy set up.
I hope you can help me.
Thanks. -
Delete any static routes you added like that 10.72.0.0/16 to 192.168.1.1. That is not how IPsec works.
Honestly, it looks like your IPsec is doing what you asked it to do. Need to find out why the host in the cloud (10.72.112.30) isn't responding or why your traffic isn't coming back. That's more of an oracle question.
-
This post is deleted! -
I have a doubt.
In pfsense it is possible to do configuration where in phase 2 has the network 0.0.0.0/0 as local and remote?
Attached, screen with configuration between Palo Alto firewall and Oracle Cloud Infrastructure.
Palo Alto Phase 2 -
@derelict
Hello, can you still help me? -
Help how?
-
@derelict said in Problems with IPsec vpn between pfSense and Oracle Cloud Infrastructure:
Help how?
Yes.I have a doubt.
In pfsense it is possible to do configuration where in phase 2 has the network 0.0.0.0/0 as local and remote?
Attached, screen with configuration between Palo Alto firewall and Oracle Cloud Infrastructure.
Palo Alto Phase 2 -
Hello, I would like to ask your attention to verify Oracle documentation and to comment that Pfsense is compatible and support Oracle VPNAAS.
1 - Oracle documentation to a Generic CPE:
https://docs.cloud.oracle.com/iaas/Content/Network/Reference/genericCPE.htmRequirements for generic CPE devices are:
local=0.0.0.0/0
remote=0.0.0.0/0
service=anyPlease let us know your thoughts about that.
Regards,
Ernani -
Personal opinion:
I think that is completely uncalled for.
On pfSense that will catch all traffic and send it over the tunnel unless extreme measures are taken to bypass it. And there is no way to bypass traffic from the firewall itself.
I cannot see how Oracle expects that to work for people.
Again, you should be able to create Phase 2 entries with your cloud subnet as remote and your local subnet(s) as local.
-
I agree with you, since I have configured others tunnels with different suppliers to Oracle without use that requirement, but I saw some intermittencies.
Thank you,
Ernani
