• Switched from Comcast to AT&T U-verse and my VPN to another pfSense (2.3.4 on both ends) box quit.  I have pfSense set in the DMZ of the AT&T router/modem and there is no option to set it to bridge mode.  I get the public IP on the WAN interface of the local pfSense firewall.  The tunnel comes up, but the traffic does not return from the remote site, I am not NATing through the tunnel.  If I ping the remote network I can see from the packet capture on the IPSEC interface of the remote pfSense firewall that the traffic makes it, I see the echo request and the correct reply.  A capture on the IPSEC interface from the local firewall sees the echo request go out, but no reply.  The local network is private 172.19.x.x and the remote network is public 70.x.x.x.  What am I missing?

  • Rebel Alliance Developer Netgate

    Try capturing for ESP traffic on both WANs, just as you captured on the IPsec interface. See if the ESP packet containing the echo reply ever makes it back to the first  host. If you do not see an ESP packet come back, it's possible that the packet never makes it back to you, which would indicate an ISP/modem issue. We have seen this happen with some ISPs, though usually it's temporary or something that gets fixed when a complaint is made. In rare cases the ISP is knowingly blocking the traffic and there may not be a choice but to move to a different VPN type such as OpenVPN. In some cases forcing NAT-T might help but not always.

    Two more things to check:
    1. Look under Diagnostics > States and filter on ESP, see if you see any states there that do not appear correct. You should see only one state, on WAN, containing only the endpoint addresses of the tunnel.
    2. Check for 1:1 NAT on the WAN IP address or a port forward that might be forwarding ESP traffic in to another host locally, or check to see if any clients on LAN are making some other sort of IPsec connection to the far side which might be creating a NAT state that is messing with your ability to receive ESP packets.

  • As you suspected the ESP packet with the echo reply never makes it back.  There are no other STATES or 1:1 NAT that could be causing the problem.  I will call AT&T  >:( support & see if I can get any help (doubtful).  Don't prefer OpenVPN, but may have to use it. Thanks for you insight.

  • Contacted AT&T support and managed to get to Tier 3, but they could still not help me.  I asked if I could get an older modem that supports bridge mode and they told me my service level doesn't support the older modems.  There is a higher level of support, but requires you to pay! I have no reason to believe that the pay support can make any changes to the modem that will allow the IPSec VPN to work.  I asked if they could do a packet capture on their router so we could see what is happening to the ESP packets that get returned from the remote pfSense firewall.  I'm not sure the tech understood how a packet capture works.

Log in to reply