[HALF-SOLVED] About Phase 2 multiple subnets: packets routings.



  • Hi folks, I'll just to add other subnet under phase 2 tunnelling for direct managing my stuffs like modem switch etc, on the other side of my ipsec tunnel. I'm unable to figure out why is impossible to gain access to second subnet I added.
    From local site to remote site I can ping only PFS box second subnet and no other device under this. No telnet, no http managing is possible at this time, so I'll show my configuration below:

    This above is my local site config.

    This above is my remote site config.

    Well firewall rules is  configured according to pass ICMP TCP UDP packets only from all my interfaces like this below:

    So I do little test: starting tcpdump and pinging remote host (d-link dsl-320B)  I see packets ICMP ECHO travels and reach endpoint but not seems to return back ?

    Tcpdump from local LAN subnet (192.168.2.0/24)

    13:19:40.840901 IP (tos 0x0, ttl 64, id 62562, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 1, length 64
    13:19:41.847197 IP (tos 0x0, ttl 64, id 62798, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 2, length 64
    13:19:42.860501 IP (tos 0x0, ttl 64, id 63051, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 3, length 64
    13:19:43.873842 IP (tos 0x0, ttl 64, id 63064, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 4, length 64
    13:19:44.887269 IP (tos 0x0, ttl 64, id 63110, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 5, length 64
    13:19:45.900522 IP (tos 0x0, ttl 64, id 63285, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 6, length 64

    And go all same even I break it.
    From remote tcpdump MODEM subnet (192.168.0.0/24) i see this:

    13:19:45.402806 IP (tos 0x0, ttl 62, id 63064, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 4, length 64
    13:19:46.415705 IP (tos 0x0, ttl 62, id 63110, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 5, length 64
    13:19:47.430618 IP (tos 0x0, ttl 62, id 63285, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 6, length 64
    13:19:48.443812 IP (tos 0x0, ttl 62, id 63562, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 7, length 64
    13:19:49.456943 IP (tos 0x0, ttl 62, id 63715, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 8, length 64
    13:19:50.470372 IP (tos 0x0, ttl 62, id 63856, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 9, length 64
    13:19:51.483002 IP (tos 0x0, ttl 62, id 63886, offset 0, flags [DF], proto ICMP (1), length 84)
        192.168.2.236 > 192.168.0.1: ICMP echo request, id 8770, seq 10, length 64

    Well now, of course I can got telnet access from remote PFS box (ssh to 192.168.1.1), also I can ping host 192.168.0.1  from here, and if I go locally I can reach this host directly and http like webui works well (from 192.168.1.x to 192.168.0.1)

    My interface configuration on remote side from MODEM interface is setting to DHCP and PFSbox  get lease from it.
    If I set to manual IP cant'access locally remote site too, I guessed for DHCP is a right choice …but not really sure.

    Also my hardware is based on two APU2 unit from pcengines and lastest pfSense community edition release available.

    This below is remote site routing table:

    Please get any advice to figure it out is really appreciated. Thanks



  • Really this is not a IPsec VPN problem, VPN Itself working good because I see ICMP packets travels from one interface side to other interface side at the end of tunnel.

    Yesterdat I'll figured it out because when I added NAT portfowarding rule on IPsec  and virtual IP om MODEM interface for ICMP, then after commit I glad to see ping travel back on my admin pc station.
    ICMP packets roadmap like below:
    from 192.168.2.236 ping to 192.168.0.1 > echo request routed at  192.168.2.1 (pfSense gateway) under VPN tunnel.
    from remote pfSense router  VPN enpoint  the echo request route to 192.168.0.1 but for a kind of  behavior  I dont'know the port fowarding nat rule translate ICMP ECHO request from 192.168.2.236 to 192.168.0.99 at the MODEM interface.

    Packets ICMP ECHO request now will end to 192.168.0.1. and it will reply correctly sending ICMP ECHO reply back to 192.168.0.99.
    So at this point pfSense router I guess made auto rule for NAT  back the ICMP ECHO reply  to my admin station 192.168.2.236 previously triggered by NAT portfowarding.

    This works only with ICMP traffic type, TCP traffic not work ame as I described. I just decided to write new thread under NAT forum section for sekking to figure out enough about NAT LAN TO LAN translation for IP address, I guess to do with 1:! NAT But I'm not fully understand how it works at this time.
    https://forum.pfsense.org/index.php?topic=139240.0
    A side note, I unable to dump, (packet capture) the ICMP traffic under MODEM interace + NAT portfowarding rule. simply  all left blank!! this is very strange for my opinion.


Log in to reply