Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] IPsec no incoming traffic

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seidler2547
      last edited by

      Hi,

      I know, this is probably the 10000th post that IPsec is not working. This is 2.3.1_1 upgraded from 2.2->beta->2.3 etc.
      Situation is mobile IPsec with Xauth RSA. Both phases succeed, but incoming traffic is not "seen" by pfSense. I have tried 3DES, SHA1, setting up the client from scratch, disabling and enabling the Unity plugin etc. Nothing helps. Client is an Android 6.0 phone, built-in IPsec.

      Attached are the logs of a tcpdump, showing that the clients packets are arriving at pfSense, but it seems they are not "used"? Also, when  I start pinging the client, I can see that the ICMP requests reach the client, and the replies reach pfSense, but again, the replies are somehow discarded, is feels as if they never reach strongswan or strongswan somehow doesn't give them out.

      Also attached a log of pfSense IPsec, and a screenshot showing 0 incoming packets.

      Any more things I can try?

      Stefan
      screen.png
      screen.png_thumb
      ipsec-tcpdump.txt
      ipsec-logs.txt

      1 Reply Last reply Reply Quote 0
      • S
        seidler2547
        last edited by

        Ok, after hours on end I found the problem: SHA256 in P2 doesn't work. As soon as I changed it to SHA1 (or MD5, but I will not use that!) everything started working perfectly. Can't test SHA384/512 because the client doesn't support these.

        The phenomenon was: netstat -sp esp showed all "packets dropped; bad ilen". Hope this helps, but it would be interesting to find out why SHA256 is not working.

        Stefan

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.