[SOLVED] IPsec no incoming traffic



  • Hi,

    I know, this is probably the 10000th post that IPsec is not working. This is 2.3.1_1 upgraded from 2.2->beta->2.3 etc.
    Situation is mobile IPsec with Xauth RSA. Both phases succeed, but incoming traffic is not "seen" by pfSense. I have tried 3DES, SHA1, setting up the client from scratch, disabling and enabling the Unity plugin etc. Nothing helps. Client is an Android 6.0 phone, built-in IPsec.

    Attached are the logs of a tcpdump, showing that the clients packets are arriving at pfSense, but it seems they are not "used"? Also, when  I start pinging the client, I can see that the ICMP requests reach the client, and the replies reach pfSense, but again, the replies are somehow discarded, is feels as if they never reach strongswan or strongswan somehow doesn't give them out.

    Also attached a log of pfSense IPsec, and a screenshot showing 0 incoming packets.

    Any more things I can try?

    Stefan


    ipsec-tcpdump.txt
    ipsec-logs.txt



  • Ok, after hours on end I found the problem: SHA256 in P2 doesn't work. As soon as I changed it to SHA1 (or MD5, but I will not use that!) everything started working perfectly. Can't test SHA384/512 because the client doesn't support these.

    The phenomenon was: netstat -sp esp showed all "packets dropped; bad ilen". Hope this helps, but it would be interesting to find out why SHA256 is not working.

    Stefan


Log in to reply