[SOLVED]IPSec problem
-
I'm having some problems with ipsec in 2.4. With a clean install, I've created manually one site-to-site tunnel that was working previously, with 2.3.3. I can establish communication but can't ping and no traffic with old firewall rules. The only way I can ping remote is if I put the "all to all" generic rule in ipsec interface. But, if I do that, I get strange ips and protocols in states. Can't understand what's happening.
I've tried with the latest (today) beta. Hardware is A1SRi-2558 with 16GB connected thru fiber. No pppoe.
-
Same issue like https://forum.pfsense.org/index.php?topic=123892.0 ?
-
Not really. Although I have "route: writing to routing socket: Invalid argument" is something else, and disappears when I disable one of my IPSec Tunnels (net2net).
But this is different. My problem are those ips that are showing. Where are they coming from? Why I can't ping remote and with 2.3.3 I can?
-
After further investigation, it seems to be this issue:
https://forum.pfsense.org/index.php?topic=117827.0
and
https://redmine.pfsense.org/issues/6937
https://redmine.pfsense.org/issues/7015EDIT: those ip only show up when ipsec vpn on remote is from behind NAT.
-
I don't use mobile IPSEC and my WAN is not behind (my) NAT … afaik. ???
I don't mind running 2.4 so far, I am happy with 2.3.3 on my APU but the netgate SG-1000 came with 2.4 beta ...
-
I'm reverting back to 2.3.3 until IPSec is usable. ZFS and freebsd 11 would be nice to have though. But I can wait. No problem.
-
I also can wait. Just want to avoid the hassle of reinstalling on SG-1000 as long as I can.
My plan: plug in and upgrade the SG-1000 every few days and see if patches roll in ;)latest update does not fix the issue, I also rechecked that floating "sloppy" rule, does not work for me.
-
https://redmine.pfsense.org/issues/6937
https://redmine.pfsense.org/issues/7015Both bugs fixed by devs, installed today's update and IPSEC now works for me on 2.4beta with the SG-1000.
I also removed that sloppy firewall rule, btw
-
Awesome. Thanks for the report.
-
My problem are gone with latest snapshot. Thanks PFSENSE Team!
-