Cannot establish IPSec connection between two sites

kevindd992002

I have two sites, Site A and Site B, that have been connected via an OpenVPN tunnel for almost a year now. I wanted to try out IPSec as I heard it's the way to go for Site-to-Site but I can't make it work.

• Both sites are simple home networks and use pfsense 2.4.5 on an APU2C4.
• pfsense in Site A = WAN interface assigned a public static IP (acts as the OpenVPN server before)
• pfsense in Site B = WAN interface assigned a private DHCP-reserved IP and is behind a CGNAT (acts as the OpenVPN client before)
• Both pfsense boxes use DDNS to update their public IP DNS A records

For my IPSec testing, I disabled both OpenVPN server and client but did not delete them for now. I hope that's not an issue. Here are my IPSec settings (as I read here and here

Site A pfsense:

Phase 1 settings:

Phase 2 settings:

Site B pfsense:

Phase 1 settings:

Phase 2 settings:

One thing I noticed is that I don't see the WAN rules for port 500 UDP and ESP in the GUI but I do see them in /tmp/rules.debug. Is this to be expected? Are they really hidden from the GUI? I don't have the disable auto-add VPN rules checked.

Here are some IPSec logs:

Site A: https://pastebin.com/qqXWfA6g

• I replaced the IP's in this log file to:
  • SiteAPublicIPAssignedToWAN -> this is assigned to the WAN interface
  • SiteBPublicIP -> this is NOT assigned to the WAN interface because of CGNAT

Site B: https://pastebin.com/wdpEVEv9

• I replaced the IP's in this log file to:
  • SiteAPublicIPAssignedToWAN -> this is assigned to the WAN interface
  • SiteBPrivateIPAssignedToWAN -> this is assigned to the WAN interface because of CGNAT

Please help. Thanks.

kevindd992002

Any love here?

whosmatt

I use OpenVPN for pfSense to pfSense L2L type tunnels specifically because it works really well with FRR BGP and I haven't had the same luck (yet) with IPSEC + VTI. For me IPSEC works but is less stable with VTI and dynamic routing.

That said, I don't see an actual question in your first post. What, in particular, doesn't work? No IKE? IKE but no SA? IKE + SA but no traffic passing?

whosmatt

One thing I see in your first post is that you don't have any hash algos selected in your Phase 2.

kevindd992002

@whosmatt said in Cannot establish IPSec connection between two sites:

I use OpenVPN for pfSense to pfSense L2L type tunnels specifically because it works really well with FRR BGP and I haven't had the same luck (yet) with IPSEC + VTI. For me IPSEC works but is less stable with VTI and dynamic routing.

That said, I don't see an actual question in your first post. What, in particular, doesn't work? No IKE? IKE but no SA? IKE + SA but no traffic passing?

I tend to also believe that OpenVPN is more stable than IPSec but I guess I just want to try the latter since I don't use dynamic routing anyway.

Well, I just want to know why IPSec doesn't work in my case. The connection doesn't even establish at all. I'm not familiar with the IPSec terms but I simply followed the guides I've linked to.

Is it because one site (site B) is behind CGNAT? In that case, should site A be set to responder only since it won't be able to reach the other site? In OpenVPN, site A is the server and site B is the client so the client initiates an outbound connection to the server which works well because site A has a static routable IP.

kevindd992002

@whosmatt said in Cannot establish IPSec connection between two sites:

One thing I see in your first post is that you don't have any hash algos selected in your Phase 2.

Yes, because jimp said in his videos and in his guides that you don't need to select a Hash Algorithm when using AES128-GCM becuase it has a built-in hash already.

whosmatt

@kevindd992002 said in Cannot establish IPSec connection between two sites:

I tend to also believe that OpenVPN is more stable than IPSec but I guess I just want to try the latter since I don't use dynamic routing anyway.

I don't think OpenVPN is more stable than IPSEC in general; just that it is for me in a specific use case.

I don't know about the CGNAT question. If you think that it's a problem, you can simply try initiating traffic from the side you think should be the initiator.

If you're failing to establish even Phase 1, start with basic network troubleshooting and escalate from there. Traffic from the initiator reaches the responder is the first step.

kevindd992002

@whosmatt said in Cannot establish IPSec connection between two sites:

@kevindd992002 said in Cannot establish IPSec connection between two sites:

I tend to also believe that OpenVPN is more stable than IPSec but I guess I just want to try the latter since I don't use dynamic routing anyway.

I don't think OpenVPN is more stable than IPSEC in general; just that it is for me in a specific use case.

I don't know about the CGNAT question. If you think that it's a problem, you can simply try initiating traffic from the side you think should be the initiator.

If you're failing to establish even Phase 1, start with basic network troubleshooting and escalate from there. Traffic from the initiator reaches the responder is the first step.

Ok, I will. On aonther note, do you have any ideas regarding my question here?

kevindd992002

Sorry for reviving this old thread but I wasn't able to get into this during the time I posted. Now that the link between the two sites is up to a maximum of 100Mbps I really need to get this working (I upgraded site B's Internet connection from 35Mbps to 100Mbps). Site A is now at 400Mbps and will soon be 800Mbps. With the current OpenVPN S2S connection using the APU2C4, I only get a max of 55Mbps or so between the sites so IPSec should theoretically solve this.

@jimp do you have any ideas on this?

Thanks.

kevindd992002

I made it work! For those interested, what I did was:

1. In Site A, I checked "Responder Only" in the P1 settings.
2. In Site A, I changed Peer identifier to "Distinguished Name" with a value equal to "Site B hostname" in the P1 settings.
3. In Site B, I changed My Identifier to "Dynamic DNS" with a value equal to "Site B hostname" in the P1 settings.
4. Since I'm using Routed IPSec, I made to leave the "Automatically ping host" field blank for both sites in their P2 settings. This is because for Routed IPSec, you will need to add an interface for the IPSec tunnel and gateway monitoring (which will act as a keep-alive too) is automatically configured.

Added static routes on both sides and I can get the full 100Mbps link between the two sites now :) This is just amazing and I realize how crappy OpenVPN is with high bandwidth links IF you have a multi core CPU that doesn't have a powerful single core.

kevindd992002

Ok, so this is weird.

When I do an iperf3 test from Site B to Site A, I get the full 100Mbps bandwidth. When I do Site A to Site B, I get only 10Mbps! My Internet plans are:

Site A: 400/400
Site B: 100/100

Both use the same ISP and they get their full speed in speedtest.net. To further complicate things, when I download a file using SMB from either side (from Site A to Site B / from Site B to Site A) I get the full 100Mbps bandwidth! So there's something weird going on with iperf for sure. So it seems that the issue is non-existent in the real world but I'm still curious why iperf says otherwise. Any ideas? Does it have to do something with Site A being set to "responder only"?

The only change I did was that I upraded the BIOS of the Site B APU2C4 from v4.12.0.1 to v13.0.1 while Site A's is still at v4.12.0.1. Could that have change anything?

EDIT: If I run the same test with "-P 8", I do get the full expected bandwidth so there's that. It seems that running iperf3 with one connection from Site A to Site B is not fully utilizing the available bandwidth but, again, why? I have pretty much the same settings on these two boxes.

kevindd992002

Anybody can help please?