IPSec connection established and trafic is outgoing, but no ongoing response

lmhaydii

Hi,
I have an IPSec connection between a my firewall (pfsense 2.4) and a third party server.
My IPSec configuration is working fine and connexion established, but when I try to telnet the third pardy subnet address, I can't get any response from them. They are confirming that they receive my packets and I see also the packets going out from my server !

My IPSec configuration is :
Local machine (192.168.50.12) <--> Firwall (pfsense) <--> Third party firwall(Cisco) <--> Thier local machine (192.168.127.80)

When I see on Diagnostics > States > States and filter by third party local machine subnet I haev :
LAN tcp 192.168.50.12:42276 -> 192.168.127.80:8082 CLOSED:SYN_SENT 3 / 0 180 B / 0 B
IPsec tcp 192.168.113.12:42276 (192.168.50.12:42276) -> 192.168.127.80:8082 SYN_SENT:CLOSED 3 / 0 180 B / 0 B

PS : In my Phase 2 configuration, I've set up a NAT/BINAT translation to 192.168.113.12
PS 2 : My firewall rules are :
LAN :
IPv4 * 192.168.50.12 * 192.168.127.80 * * none
IPSec :
IPv4 * 192.168.127.80 * 192.168.50.12 * * none

Any advice please !

Konstanti

Hey
https://www.netgate.com/docs/pfsense/vpn/ipsec/connecting-to-cisco-ios-devices-with-ipsec.html

lmhaydii

@konstanti thank you for your response. I don't think is an IPSec configuration issue. We have already a IPSec tunnel (using pfsense 2.1.5) with the same third party and same configuration and it's working fine.

Konstanti

@lmhaydii if the packets reach 192.168.127.80 and do not return, you should look for the problem in cisco
Show the output of commands
show crypto map
show crypto ipsec sa
show ip route

Konstanti

@lmhaydii I would disable NAT / BINAT on the Pfsense side

lmhaydii

@konstanti our local subnet 192.168.50.0/24 is already used in thier system, so I'm obligated to use a NAT / BITNAT option.

Konstanti

@lmhaydii OK
often more problems are due to MSS
Try reducing it on the cisco side to 1360
https://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html#anc16

lmhaydii

@konstanti They did the debugging on their part and they confirm that the answer is back to me

Konstanti

@lmhaydii
Pfsense ipsec settings
VPN/IPSEC/Advanced
0_1546519213480_8a7b27a3-900a-490e-b483-3cd5d4f8781d-image.png

lmhaydii

@konstanti Alredy tried, but not working :/

Konstanti

@lmhaydii and ping passes between hosts ?

Konstanti

@lmhaydii You can still see what's going on using the packet capture.
Diagnostics/Packet Capture
Interface IPSEC
and show here what happens at the moment of connection

lmhaydii

@konstanti No ping, no telnet. Telnet reach thiier server but i can't get thier response back.
When I do a telnet, pckets captured are :
12:50:05.113719 (authentic,confidential): SPI 0xc5431e8c: IP 192.168.50.12.44276 > 192.168.127.80.8082: tcp 0
12:50:06.117304 (authentic,confidential): SPI 0xc5431e8c: IP 192.168.50.12.44276 > 192.168.127.80.8082: tcp 0
12:50:08.133382 (authentic,confidential): SPI 0xc5431e8c: IP 192.168.50.12.44276 > 192.168.127.80.8082: tcp 0

And Diagnostic > States are :

Packets Bytes
LAN tcp 192.168.50.12:44274 -> 192.168.127.80:8082 CLOSED:SYN_SENT 3 / 0 180 B / 0 B
IPsec tcp 192.168.113.12:44274 (192.168.50.12:44274) -> 192.168.127.80:8082 SYN_SENT:CLOSED 3 / 0 180 B / 0 B

Konstanti

@lmhaydii The solution to the problem should be sought from Cisco side
Ip packets in its party leave and do not return

Konstanti

@lmhaydii
Here's what it looks like to me
15:59:50.636268 (authentic,confidential): SPI 0xc4b93af1: IP XX.XXX.70.141 > XX.XXX.236.39: GREv0, length 174: IP 192.168.1.96.51731 > 208.123.73.199.443: tcp 118
15:59:50.856954 (authentic,confidential): SPI 0xc8365d06: IP XX.XXX.236.39 > XX.XXX.70.141: GREv0, length 56: IP 208.123.73.199.443 > 192.168.1.96.51731: tcp 0

lmhaydii

@konstanti Thank you for your help, I will try from another server without NAT / BITANT and see if that will work

lmhaydii

Hi again,
After several attempts, I come back to you, maybe I can find a solution.
I tried several configurations, but still the same issue : Tunnel connexion establisheed, telnet request go out, but can't catch the response. The responder server guys confirm that they are getting my requests and they return a response. But the response is lost somehwere and I can't determine where !
I've tried all pfsense log level on IPSec advenced options : but found nothing that can help, except when setting Kernel Interface on highest I can see :
( 4_1547772896575_pfSense localdomain Status System Logs IPsec.png

This is a resume of my debbuging:
the tunnel is up and request are going out :

3_1547772896574_pfSense localdomain Status IPsec Overview.png

The connexion states are closed !
2_1547772896573_pfSense localdomain Diagnostics States States.png

Packet captures with 0 bytes !
1_1547772896573_pfSense localdomain Diagnostics Packet Capture.png

And netstat with 0 packet error !
0_1547772896572_pfSense localdomain Diagnostics Command Prompt.png

Derelict

If the reply is not arriving on your IPsec interface there is nothing you can do about it. They have to fix it on their side.

Konstanti

@lmhaydii

Tcp 0 is the SYN packet to establish the connection, this is normal .
The bad thing is that the answer is not from the second side
It is necessary to deal with the second side
Ask them to show the answer log
Can they ping your host 192.168.50.11 ?
Can you ping their host 192.168.127.80 ?

lmhaydii

@derelict thank you. How can I determine with certitude that thier response or thier request are not arriving to my firewall ? There is any command to show up that ?