No traffic over p2p shared key tunnel after upgrade to 2.3.4 (coming from 2.2.5)



  • Hi,

    We finally upgraded to 2.3.x of pfsense and coming from 2.2.5.

    Now i have the problem that i the VPN p2p tunnel we had is not working anymore.
    When i look at routing (which was opposed in the other forum) this looks ok to me but i cannot even ping the tunnel ip's on both sides.

    On the server side i have the following:
    Tunnel network ip is 10.0.9.1
    Local network is 10.1.12.0/24

    routing:
    default 192.168.178.1 UGS 40676 1500 fxp0
    10.0.9.1 link#11 UHS 0 16384 lo0
    10.0.9.2 link#11 UH 656 1500 ovpns4
    127.0.0.1 link#8 UH 7122 16384 lo0
    192.168.0.0/24 10.0.9.2 UGS 1592 1500 ovpns4
    192.168.100.0/24 10.0.9.2 UGS 250 1500 ovpns4

    On the client side i have the following:
    Tunnel network IP is 10.0.9.2
    Local network is 192.168.0.0/24 and 192.168.100.0/24

    routing:
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    default        gateway        0.0.0.0        UG    100    0        0 enp5s0
    10.0.9.1        0.0.0.0        255.255.255.255 UH    0      0        0 ovpnc2
    10.1.12.0      10.0.9.1        255.255.255.0  UG    0      0        0 ovpnc2
    192.168.0.0    0.0.0.0        255.255.255.0  U    100    0        0 enp4s1

    The VPN tunnel connection is ok.
    And firewall let's everything through to these networks.
    But when i try to ping on the firewall to 10.0.9.2 i get 100% packet loss
    The same on the client for pinging 10.0.9.1.

    If i ping the machine it's own tunnel ip it works.

    Weird thing is though when looking in the states table i see sometimes states between the two networks.

    Config server side:

    General information:
    Server mode: Peer to Peer (Shared key)
    Protocol : UDP
    Device mode: tun
    interface : <our external="" ip="">local port: 1197

    Cryptographic Settings:
    Shared Key: <key>Encryption Algorythm : AES-256-CBC (256 bit key, 128 bit bloc)
    Auth digest alogithm: SHA1 (160-bit)
    Hardware crypto: No hardware….

    Tunnel settings
    IPv4 Tunnel network: 10.0.9.0/24
    IPv4 Remote networks: 192.168.0.0/24,192.168.100.0/24
    Compression : No preference
    Type of service: not checked
    Duplicate connection: not checked
    Disable IPv6: checked

    Advanced configuration
    Custom Options: empty

    config client side
    dev ovpnc2
    dev-type tun
    tun-ipv6
    #dev-node /dev/tun2
    #writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    #script-security 3
    #daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    #up /usr/local/sbin/ovpn-linkup
    #down /usr/local/sbin/ovpn-linkdown
    local 192.168.254.250
    lport 0
    #management /var/etc/openvpn/client2.sock unix
    remote <our external="" ip="">#remote lin.nagios.ca.clicks2customers.com
    port 1197
    ifconfig 10.0.9.2 10.0.9.1
    route 10.1.12.0 255.255.255.0
    secret /etc/openvpn/dqna_hq.secret
    #secret /etc/openvpn/static_v2.key</our></key></our>



  • Ok I can shoot myself.
    Found the problem after lots of side testing and not working.

    The other side needed a fresh start of the openVPN client  :o  ::).

    Got a bit sidetracked by the fact it connects automatically and tunnel seemed to be functional (without traffic).



  • I logged on to my pfSense today and was pretty horrified to see a 502 error page. I didn't want to reboot until I understood the cause. I did have the OpenVPN Widget and IPSec VPN Widget running on the homepage of pfSense. I also changed my firewall logs to show 20 results, show FAIL & REJECT, and refresh every 1 second. Perhaps this was a bit too aggressive. My OpenVPN clients couldn't connect via OpenVPN but IPSec VPN was able to still connect.

    As advised earlier, restarting PHP-FPM using the numerical menu options in the pfSense console allowed the OpenVPN tunnels to connect again, and removed the 502 error.

    Hope this helps.


Log in to reply