IPSec site to site won't pass traffic since 21.05
-
Since upgrade to 21.05, my site-to-site IPSec VPN won't pass traffic. Both phases show to be connected, and the byte count is going up, but I can't ping. I have static routes defined for this VPN and they are still defined, but they don't show in the routing table. Not sure if they are supposed to.
Hardware encryption is disabled.
Mitch
-
I checked my 2.5.1 system at home with a similar VPN and it does show the static VPN routes in the routing table, so I suspect that is the issue here. I tried disabling and re-enabling the route, as well as deleting and re-adding it, but neither of those helped.
-
What are the specifics to your setup?
-
@mclaborn I’ve not had any issues 21.05 and policy IPSec or routed IPSec. You’ll need to provide some screenshots of your set up and maybe a bit more information about your network and what you’re trying to do.
-
I opened a ticket, and NetGate support discovered that the other end of the tunnel is not responding to pings, so the routes were not added. They solved by marking that Gateway as "always up".
I don't yet know if this behavior is new in 21.05 or if the timing of the ping failure is just coincidence.
-
@mclaborn odd indeed. I have no issues with my implementation and I don’t have to do anything special but both endpoints that I control are pfsense. Seems like each vendor has some little quirks that one must discover and mitigate. Your problem makes great sense. If pfsense is looking for a ping response to determine if the link is up, and wasn’t getting that response, the link is down/network unreachable and your packets fall on the floor. I’ll have to remember this should I encounter a similar issue.
-
Mystery solved. It was an intentional change.
See https://redmine.pfsense.org/issues/11296
