Need some help with pfSense Site-to-Site IPSec VPN

zachelks

@emammadov

I'll get back to you with the screenshots of the IPsec firewall rules for the remote tunnel, but both should be configured like the attached screenshot.

As of right now I'm not able to access any hosts on the remote network, I've tried hitting the remote pfSense console as well as some Web Applications but I haven't had any luck yet.

Thanks,
Zach

Derelict

How are you testing? Where are you pinging from? To?

You have to ping from something that has a source address in the local network and a remote address in the remote network.

For instance, if you ping using Diagnostics > Ping you have to set the source address to LAN.

zachelks

Hi,

So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

Here are some photos of the configuration, my instance is on the left side of the photos.

Thanks

It's also worth mentioning that I'm seeing these messages in the remote gateway:

Mar 28 01:32:05 charon 05[ENC] <con1000|8> parsed INFORMATIONAL response 11 [ ]
Mar 28 01:32:05 charon 05[IKE] <con1000|8> activating new tasks
Mar 28 01:32:05 charon 05[IKE] <con1000|8> nothing to initiate
Mar 28 01:32:07 charon 05[CFG] vici client 540 connected
Mar 28 01:32:07 charon 05[CFG] vici client 540 registered for: list-sa
Mar 28 01:32:07 charon 16[CFG] vici client 540 requests: list-sas
Mar 28 01:32:07 charon 06[CFG] vici client 540 disconnected
Mar 28 01:32:13 charon 06[CFG] vici client 541 connected
Mar 28 01:32:13 charon 06[CFG] vici client 541 registered for: list-sa
Mar 28 01:32:13 charon 12[CFG] vici client 541 requests: list-sas
Mar 28 01:32:13 charon 06[CFG] vici client 541 disconnected

Konstanti

@zachelks
Hey
Hey
These log messages indicate that you have been to the Webgui page /Status/IPSEC
Show the rules for Lan interfaces on both sides of the tunnel
and try disabling tinc on the left side of the tunnel.

zachelks

@Konstanti

Hi,

I've disabled the tinc VPN now, but still no luck.

Here is a screenshot of my rules:

And of the remote gateway:

Konstanti

@zachelks
Hey
What type of traffic do you have a problem with ?
Screenshots show that everything is configured correctly
Try to reduce MSS ( for example , make it equal to 1360)
VPN/IPsec/Advanced Settings

or Try to use a Packet Capture to find the place where the IP packets are being lost

Derelict

@zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

That means nothing to anyone but you. Please detail exact tests that are not working. Details like:

Source IP address
Destination IP address
Protocol (get pings (ICMP) working first)

zachelks

@Derelict @Konstanti

So the tunnel is mostly working now, I unplugged the AT&T modem and plugged it back in and the tunnel came up. Thanks for your help!

The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying. I have ping option set to keep the tunnel alive (it's set to 192.168.1.1 and 192.168.2.1) and the Phase 1 and Phase 2 lifetimes are set to the same value.

I've attached the log from the period where the tunnel is dropping, any ideas how to address this issue?

ipsec_dropped_connections.txt

Konstanti

You need to check how many CHILD_SA were active at the time of the rekeying. Judging by the logs there were 2 numbers 180 and 181 . Instead, 2 new active CHILD_SA numbers 182 and 183 were created.

I understand this is a problem because there must be one CHILD_SA for each connection.

Try using The make before break option on the /IPSEC/Advanced settings tab

Derelict

@zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying.

So look at the IPsec logs surrounding and including one of these time periods and see what is happening.

zachelks

Hi,

So I ended up resolving this issue, for those who are interested it was an issue with the AT&T modem.

I have the Arris BGW-210 on both sides of the tunnel. The modem has a setting under Advanced Firewall called ESP ALG, this setting should be disabled if both sides of your tunnel are not behind NAT (pfSense has a public IP).

Thanks for your help getting this resolved, the tunnel is working great, I'm seeing over 300 mbps between the networks.