PfSense not using IPSec site-to-site tunnel for routing



  • Hi, I am facing a strange issue and I am pretty desperate here. I had a well configurated and fully functional IPSec site-to-site tunnel between PfSense box and Zyxell USG 20 GW. I´ve set it up two years ago and there wasn´t any problem with it until now. Last night, I´ve updated PfSense on version 2.4.2-RELEASE-p1 and it had to somehow broke down this IPSec tunnel. Both, PfSense and USG, show me, that the tunnel is up and running, I don´t see anything strange in IPSec logs either on PfSense nor on the USG. On PfSense box only incoming traffic counters are increasing and the same happens with outgoing counters on USG. By Packet capture on PfSesne, I can see, that USG tries to ping PfSense box address but no traffic is flowing back. When I´ve tried traceroute to PfSense box from a computer inside USG´s LAN, it correctly tries to go through the tunnel, but if I´ve tried the same from a computer inside PfSense´s LAN, it tries to route through the internet and not through the tunnel. The same happens when I´ve tried to traceroute USG´s IP directly from PfSense.

    I´ve only done the upgrade of the PfSense box, and no other configuration changes anywhere. Please, could someone tell me how to fix this? Should I add some route to PfSesne route table? Or what can be the cause of this trouble? As I said, before the upgrade, this configuration was functional for over two years without any issue.

    Thanks

    George



  • Hi, I am really disappointed, that there is no answer to my question. In the meantime, I´ve tried to figure it out. I´ve tried to rebuild the whole configuration, but no success, then I´ve deployed a new installation of PfSense 2.4.2 on another machine and tried to set up IPSec tunnel there, but also no success. Finally, I´ve backed up the configuration from the newly installed 2.4.2 box, reinstalled it to 2.4.1, restored the configuration (yes, the config.xml from the 2.4.2) and voila IPSec tunnel was successfully connected and properly used by PfSense. So I´ve made the conclusion, that there must be something that changed by the new release and I am missing this change. Unfortunately, I haven´t found anything about that, so I am hoping that someone relevant will see this post and tell me what I am missing or if it is a bug, then this issue will be added to the bug list for the next release.

    Regards
    George


  • Netgate

    If you have the LAN interface disabled, UNCHECK VPN > IPsec, Advanced Settings, Auto-exclude LAN address

    https://redmine.pfsense.org/issues/8239



  • @Derelict:

    If you have the LAN interface disabled, UNCHECK VPN > IPsec, Advanced Settings, Auto-exclude LAN address

    https://redmine.pfsense.org/issues/8239

    Hi, thank you, that helps, but the symptoms are not my case. I have LAN enabled and a static IP is assigned to it on both installations. The production one has default LAN, two WAN, one OpenVPN, one IPSec and approx. 30 VLAN interfaces, the test one is probably more common, it has WAN, LAN, and IPSec. But both showed me the issue and both were repaired by your solution.

    George


  • Netgate

    In Status > Interfaces you will see the second interface. That is the internal interface (lan). It does not matter what the interface description is.



  • This post is deleted!