Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec traffic stops passing

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Spider2323
      last edited by

      I have a client using a pfSense / Shrewsoft setup.  They had been running pfSense 2.1.5 with Shrewsoft 2.2.2 , and it suddenly stopped passing ipsec traffic (tunnel enables, but doesn't pass traffic).  There was an allow-all rule under the ipsec firewall rules.  Keeping in mind - before upgrading - nothing had changed!

      Restarted the firewall - no effect….
      I've seen this screwy problem with 2.1.5 before, and remembered that racoon was changed out for Secure Swan in the newer version  so I updated the firewall to the latest version.  This had no effect.

      I then pulled out all of the Phase-1/2 settings and set things up from scratch - Tunnel enables and links up - but no traffic passes.  I hopped on the console and ran a tcp dump command to watch ICMP traffic on the LAN interface.  Then I started a ping from the remote(client) end - nothing ever shows up.

      I tried changing my settings so that the Virtual IP addresses were not a subset of the LAN addresses (I had been using proxy-arp to make this work previously) - the LAN is a 10.20.30.0/24  , where I was using 10.20.30.200/29 for Virtual IP's ; switched this to be 192.168.200.0/24  - still no effect.

      I've also tried setting the 10.20.30.200/29 for the Virtual IP's and unchecking VPN -> IPSec -> Enable Bypass for Lan Interface IP where it was checked previously - this didn't help.

      I've ripped out and replaced the IPSec settings totally again - no effect.  Ripped out and replaced the IPSEC allow-any rule - nothing.  Enabled logging on the IPSEC firewall rule - nothing shows up.

      Checked the system logs - nothing related other than a note that using a PSK configuration with aggressive mode is considered insecure. ("php-fpm[40614]: /vpn_ipsec_settings.php: WARNING: Setting i_dont_care_about_security_and_use_aggressive_mode_psk option because a phase 1 is configured using aggressive mode with pre-shared keys. This is not a secure configuration.")

      I have this same setup in numerous locations - so I'm confident that it works!  However here, it just stopped working all of a sudden - and hasn't worked no matter what is going on.    The last thing I might normally try would be to rip out the entire firewall and re-setup from scratch - but this is also very time consuming and a very imprecise solution ( I trust there are better solutions for pfSense than rest to factory and start over).

      Here's a copy of my current IPSEC setup:
      Key Exchange = V1
      IP version = IPV4
      Interface= WAN

      Phase 1 Proposal
      Method = Mutual PSK + XAuth
      Negotiation Mode = Aggressive
      Identifier = My IP Address
      Peer = KeyID Tag  w/tag = (not listed here)
      PSK = (not listed here)

      Phase 1 Proposal (algorithms)
      Encryption = AES/128
      Hash = SHA1
      DH = 2
      Lifetime = 28800

      Disable rekey (unchecked)

      Responder only (unchecked)

      Nat Traversal = AUTO
      DPD

        Delay = 10 seconds
        Retries = 5

      Phase 2 settings
      Model = Tunnel IPV4
      mode-type = Tunnel IPV4
      Local network = Lan Subnet
        NAT/BINAt = None

      Phase 2 Proposal (SA/Key Exchange)
      Protocol = ESP
      Encryption = AES/128bit
      HASH = SHA1
      PFS = off
      Lifetime = 3600

      Mobile-Clients (tab)

      IKE Extensions = enable IPSEC Mobile Client support

      XAUTH
      Use = Local database
      Group-authentication = none

      Virtual Address Pool

      Provide Virtual IP address to clients

        Network = 10.20.30.200/29
        Note: the LAN network is 10.20.30.0/24 , the above is a section of
        note2: I have also tried changing this to 192.168.200.0/24 and this did not work either

      Provide network list

      Allow clients to save XAuth password

      Any ideas please??

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.