Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    6th and 7th IPSec tunnel traffic not passing

    Scheduled Pinned Locked Moved IPsec
    10 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      naiw
      last edited by

      We have been using a cloud based pfSense(hosted with Vultr's New Jersey datacenter) for about a year or so now for our company.

      It has been GREAT!

      We have 5 sites connected to our cloud infrastructure.

      The 5 sites are using Zyxel USG20-vpn appliances and are working great.

      We have then added a 6th site using another pfsense virtual appliancehosted with Vultr's Seattle datacenter).

      Since adding this 6th IPsec tunnel:

      • The tunnel gets established but no traffic is passing between the sites.

      • We have also added a 7th IPsec tunnel using another Zyxel USG20-vpn appliance and the same issue, the tunnel gets established but no traffic is passing.

      Would any one have any ideas on what may be causing this?

      Is there a limitation on the number of IPsec Tunnels each pfSense can support?

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        You shouldn't have any trouble with six, I've had boxes with nearly forty active tunnels.

        1 Reply Last reply Reply Quote 0
        • N
          naiw
          last edited by

          Thanks for the reply.

          Can you help me shed any light on what to check?

          I've recreates the tunnels one too may times to count but cannot get the 6th and 7th tunnels to route traffic even thought the first site to site tunnels are functioning flawlessly.

          1 Reply Last reply Reply Quote 0
          • dotdashD
            dotdash
            last edited by

            All of your p2's are unique? Are you seeing anything in the logs?

            N 1 Reply Last reply Reply Quote 0
            • N
              naiw @dotdash
              last edited by

              @dotdash I haven't gotten this resolved.

              The only issue is between my two cloud VPN pfSense boxes.

              The p1 and p2 tunnel gets established but absolutely 0 traffic passes.

              There is no info in the logs on either instance related to this.

              Site A to Site C works 100%
              Site B to Site C works 100%
              Site A to B connects but traffic never ever passes.

              1 Reply Last reply Reply Quote 0
              • dotdashD
                dotdash
                last edited by

                Nothing in the logs? All subnets are unique? You could try a packet capture and see what's going on.

                N 1 Reply Last reply Reply Quote 0
                • N
                  naiw @dotdash
                  last edited by

                  @dotdash 100% unique subnets.

                  Let me try a capture and see.

                  TBH looking in the logs I can't think of anything that sticks out but

                  Below are the caputres and as you can see absolutely no IPSec traffic from Site A to Site C but traffic from Site A to Site C there is traffic.

                  SiteA to SiteC
                  SiteA-SiteC.png

                  SiteA to SiteB
                  SiteA-SiteB.png

                  SiteA to SiteB in promicuous mode
                  SiteA-SiteB prmiscuous.png

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Dozens if not hundreds. No, there's no limit. You misconfigured something at one or both ends.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    N 1 Reply Last reply Reply Quote 0
                    • N
                      naiw @Derelict
                      last edited by naiw

                      @Derelict I appreciate the input :)

                      • I have recreated the tunnel dozens of times over

                      • I have made sure there are no duplicate P2 IPs

                      • The tunnel comes up every time but traffic never passes

                      • There are a total of 7 tunnels:
                        (I did not setup a mesh as we do not require it)

                      • Site A (West Cost Cloud pfSense)
                        *Site A to C works
                        *Site A to D works
                        *Site A to E works
                        *SIte A to F works
                        *Site A to G works
                        *Site A to H works

                      • Site B (East Cost Cloud pfSense)
                        *Site B to C works
                        *Site B to D works
                        *Site B to E works
                        *SIte B to F works
                        *Site B to G works
                        *Site B to H works

                      • **Site A to Site B
                        *connects but never passes traffic

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Then post your exact, detailed config.

                        If it was done correctly it would be working. ;)

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.