TheSec last edited by
Let me explain my setup and then tell you what is going wrong. Then you have some sense of the network :) FYI: this is a very complex system simplified ;)
I have site A there is a Hillstone, located there. It connects to site B where is have pfSense latest version. Subnet A 192.168.100.0/24 is located @ site A. Site B doesn't have a Subnet, But Site C (Juniper) does 192.168.200.0/24 which also has a ipsec connection to site B. Only IKEv2 is used. So i have the following setting:
Site A(Hillstone) < - > Site B(pfSense) < - > Site C (Juniper)
Subnets on ipsec from A to B : L:192.168.100.0/24 == R:192.168.200.0/24
Subnets on ipsec from B to C : L:192.168.200.0/24 == R:192.168.100.0/24
This sort off works but not all protocols work going from A to C. In the pfSense logs i found that it has trouble with host A -> host C on protocol: TCP:A, now as far as i have read online the fix for this is to use sloppy state tables. But the fun doesn't end there ;D. Because if i use sloppy state tables then i have the following error host C -> host A on protocol TCP:SA :o
For different reasons i can't make a ipsec from site A directly to site C.
I was considering just using random subnets between the site's and building GRE tunnels over which i can setup a routing protocol(OSPF/BGP/etc.) then it shouldn't have this issues. But for now i would like to stick with this setup. if theres anyone that can point me in a direction where to look to fix this problem, i would really appreciate it 8)
with tcpdump on the pfSense host B i can see that some packets are coming from 1 SPI session going and leaving through another SPI session and vice versa ofc. Ping etc also works but that's because it isn't a statefull protocol.