Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some help with pfSense Site-to-Site IPSec VPN

    Scheduled Pinned Locked Moved IPsec
    13 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      How are you testing? Where are you pinging from? To?

      You have to ping from something that has a source address in the local network and a remote address in the remote network.

      For instance, if you ping using Diagnostics > Ping you have to set the source address to LAN.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • Z
        zachelks
        last edited by zachelks

        Hi,

        So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

        Here are some photos of the configuration, my instance is on the left side of the photos.

        Thanks

        Annotation 2019-03-27 205349.jpg

        Annotation 2019-03-27 205416.jpg

        Annotation 2019-03-27 205507.jpg

        Annotation 2019-03-27 205538.jpg

        Annotation 2019-03-27 205647.jpg

        Annotation 2019-03-27 210310.jpg

        It's also worth mentioning that I'm seeing these messages in the remote gateway:

        Mar 28 01:32:05 charon 05[ENC] <con1000|8> parsed INFORMATIONAL response 11 [ ]
        Mar 28 01:32:05 charon 05[IKE] <con1000|8> activating new tasks
        Mar 28 01:32:05 charon 05[IKE] <con1000|8> nothing to initiate
        Mar 28 01:32:07 charon 05[CFG] vici client 540 connected
        Mar 28 01:32:07 charon 05[CFG] vici client 540 registered for: list-sa
        Mar 28 01:32:07 charon 16[CFG] vici client 540 requests: list-sas
        Mar 28 01:32:07 charon 06[CFG] vici client 540 disconnected
        Mar 28 01:32:13 charon 06[CFG] vici client 541 connected
        Mar 28 01:32:13 charon 06[CFG] vici client 541 registered for: list-sa
        Mar 28 01:32:13 charon 12[CFG] vici client 541 requests: list-sas
        Mar 28 01:32:13 charon 06[CFG] vici client 541 disconnected

        K DerelictD 2 Replies Last reply Reply Quote 0
        • K
          Konstanti @zachelks
          last edited by Konstanti

          @zachelks
          Hey
          Hey
          These log messages indicate that you have been to the Webgui page /Status/IPSEC
          Show the rules for Lan interfaces on both sides of the tunnel
          and try disabling tinc on the left side of the tunnel.

          Z 1 Reply Last reply Reply Quote 0
          • Z
            zachelks @Konstanti
            last edited by zachelks

            @Konstanti

            Hi,

            I've disabled the tinc VPN now, but still no luck.

            Here is a screenshot of my rules:

            Annotation 2019-03-28 213547.jpg

            And of the remote gateway:

            Capture.PNG

            K 1 Reply Last reply Reply Quote 0
            • K
              Konstanti @zachelks
              last edited by Konstanti

              @zachelks
              Hey
              What type of traffic do you have a problem with ?
              Screenshots show that everything is configured correctly
              Try to reduce MSS ( for example , make it equal to 1360)
              VPN/IPsec/Advanced Settings
              adaf9ba9-b650-4463-8f4d-d1f0fec7d9a4-image.png

              or Try to use a Packet Capture to find the place where the IP packets are being lost

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate @zachelks
                last edited by

                @zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

                So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

                That means nothing to anyone but you. Please detail exact tests that are not working. Details like:

                Source IP address
                Destination IP address
                Protocol (get pings (ICMP) working first)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                Z 1 Reply Last reply Reply Quote 0
                • Z
                  zachelks @Derelict
                  last edited by zachelks

                  @Derelict @Konstanti

                  So the tunnel is mostly working now, I unplugged the AT&T modem and plugged it back in and the tunnel came up. Thanks for your help!

                  The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying. I have ping option set to keep the tunnel alive (it's set to 192.168.1.1 and 192.168.2.1) and the Phase 1 and Phase 2 lifetimes are set to the same value.

                  I've attached the log from the period where the tunnel is dropping, any ideas how to address this issue?

                  ipsec_dropped_connections.txt

                  K DerelictD 2 Replies Last reply Reply Quote 0
                  • K
                    Konstanti @zachelks
                    last edited by Konstanti

                    You need to check how many CHILD_SA were active at the time of the rekeying. Judging by the logs there were 2 numbers 180 and 181 . Instead, 2 new active CHILD_SA numbers 182 and 183 were created.

                    I understand this is a problem because there must be one CHILD_SA for each connection.

                    Try using The make before break option on the /IPSEC/Advanced settings tab

                    e58076cc-de7b-4ce8-b8bb-c06e94b544d7-image.png

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate @zachelks
                      last edited by

                      @zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

                      The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying.

                      So look at the IPsec logs surrounding and including one of these time periods and see what is happening.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • Z
                        zachelks
                        last edited by

                        Hi,

                        So I ended up resolving this issue, for those who are interested it was an issue with the AT&T modem.

                        I have the Arris BGW-210 on both sides of the tunnel. The modem has a setting under Advanced Firewall called ESP ALG, this setting should be disabled if both sides of your tunnel are not behind NAT (pfSense has a public IP).

                        Thanks for your help getting this resolved, the tunnel is working great, I'm seeing over 300 mbps between the networks.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.