VPN established but no traffic through the tunnel

jchelink

Hi,

version 2.0 ALPHA-ALPHA (Embedded)
I've setup a VPN site to site, the connection was made correctly :

racoon: [VPN]: INFO: IPsec-SA established: ESP 80.XXX.XXX.XXX[500]->82.XXX.XXX.XXX[500] spi=4028923628(0xf0247eec)

but no traffic going through the IPsec tunnel; the firewall:rules:ipsec (enc0) is on pass all (any) ! and always the same error on logs :
rule 4/0(match): block out on enc0

that's weird because I can ping the remote network without problem, also i can make a connection on any ports for a few seconds…and down (i 've tried scp file transfert --> it started and -stalled- , same thing with MS DS --> browse remote network for a few seconds and lost the connection, etc.. with any port

Someone tested ?, maybe i missed something (?)

databeestje

Seems like a genuine firewall rule issue.

Does the LAN rule allow for traffic to the remote VPN network?

If the tunnel keeps dropping I suggest fixing that first. You should normally only see the established message after the ph2 lifetime expires.

morbus

I can confirm I am seeing the same thing.

It seems to be todo with this rule

scrub on carp1 all max-mss 1372 fragment reassemble

as I get blocks like this on packets that should pass

Nov  3 16:13:08 pfwall1 pf: 792309 rule 4/0(match): block out on enc0: (tos 0x0, ttl 127, id 61099, offset 0, flags [DF], proto TCP (6), length 40) 192.168.2.4.7277 > 192.168.1.251.80:  tcp 20 [bad hdr length 0 - too short, < 20]

It seems to have something todo with MSS clamping as I normally have to reduce the MTU on one end attached to Ethernet to 1412 to cope with the other end being on ADSL PPPoE but to get it to work now I have to clamp the ADSL end too 1300 to get it to work. It seems to work with small packets normally eg ssh but bigger stuff eg webpage won't load. Strangely the webGUI always works guess this is the anti lockout rule at work

jzsjr

I'm not sure what version I upgraded to but I'm now having IPSEC site to site vpn issues since Friday. Tunnel is established but It'll drop, pickup and drop again. No firewall rule changes.

Jim

jchelink

_Yes ! Morbus, you're right, I changed MTU values like this :

if:vr0(lan) –> MTU 1412
if:pppoe(wan) –> MTU 1372

everything works fine now,
Thanks a lot for your help ;)_

correction, i made a mistake and logs didn't refresh fast enough, I though it was good, but the problem still there; i reduced now the wan MTU to 1300 and same thing happened :(
exemple of MS DS (browse network) :
rule 4/0(match): block out on enc0: (tos 0x0, ttl 127, id 13061, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.87.1138 > 192.168.1.1.445: [|tcp]

same thing with any port.., i can tell my firewall rules LAN + IPSEC (enc0) are now on pass all any/any !

someone have an idea ?

eri--

test latest snapshot and report back, should be fixed.

jzsjr

Uhmm, my tunnel is no longer passing any data. It went from cutting in and out to totally out now. :(

Please let me know what log information to post if need be.

eri--

please post the output of command
sysctl net.enc

morbus

Mine is

# sysctl net.enc
net.enc.out.ipsec_bpf_mask: 0000000000
net.enc.out.ipsec_filter_mask: 0000000000
net.enc.in.ipsec_bpf_mask: 0000000000
net.enc.in.ipsec_filter_mask: 0x00000002

I think it is net.enc.out.ipsec_filter_mask should be 1 rather than 0 as this fixes it on mine

sysctl net.enc.out.ipsec_filter_mask=0x00000001

eri--

0 should disable filtering altogether on outgoing packets since you really cannot write rules for outgoing packets unless from floating rules tab.

jzsjr

Here is mine:

vpnissue.jpg_thumb

Accounts

Mines the same jzsjr….Same problem as the rest in this topic

sullrich

Try changing the sysctl's to:

sysctl net.enc.out.ipsec_bpf_mask=0x00000002
sysctl net.enc.out.ipsec_filter_mask=0x00000002
sysctl net.enc.in.ipsec_bpf_mask=0x00000001
sysctl net.enc.in.ipsec_filter_mask=0x00000001

jzsjr

Where does one change this?

sullrich

From a shell or SSH session ( option 8 ) or from Diagnostics -> Command -> Shell command

eri--

upgrade to latest snapshot.

jzsjr

Okay. I wasn't sure if it was a command or located in sysctl.conf (but there is nothing really in that file).

thanks,
Jim

jzsjr

Thanks Sullrich. Those commands did the trick.

Ermal, not sure what is up with the auto updater now but this is what I get:

Auto upgrade aborted.

Downloaded SHA256:

Needed SHA256: bad9308e0d492d9701e60766cf747777024b005cdad4819bba193fa8d7a6dfa8

Also I don't know where the 2.0 files are now for a manual upgrade. When I go to the old listing under _1 I see 1.2.1 files.

thanks,
Jim

eri--

Those 1.2.1 files should be the 2.0 updates not sure why they are called 1.2.1!

jzsjr

Sullrich & Ermal,

Latest snapshot shows:

$ sysctl net.enc
net.enc.out.ipsec_bpf_mask: 0000000000
net.enc.out.ipsec_filter_mask: 0x00000002
net.enc.in.ipsec_bpf_mask: 0000000000
net.enc.in.ipsec_filter_mask: 0x00000001

Should they show what Sullrich suggested earlier in this thread?
thanks,
Jim