Pfsense sending packets in the wrong ipsec tunnel



  • Hello,

    Here is my pfsense version : 2.4.2-RELEASE-p1 (amd64)
    I'm using pfsense as vpn device for site-to-site access. We've got several tunnels at the moment, all running well for everybody.
    We've just installed a new client on it, and there's a complete WTF issue for him : pfsense sends packets in the wrong tunnel !

    Phase1 is established with IKEv1. The client has 15 phase2 entries but let's take an example and try to explain the issue the simpliest way :

    tunnel1 : Local network 172.19.79.0/24  –-- Remote network 172.20.32.0/19
    tunnel2 : Local network 172.19.79.0/24  ---- Remote network 172.21.245.0/24
    tunnel3 : Local network 172.19.79.0/24  ---- Remote network 10.4.8.0/24

    Packet I want to send =>  src : 172.19.79.15 dst : 172.20.34.34 ICMP, so it should be sent into tunnel1.

    Case 1 :
    We start from scratch, all tunnels are down. I bring them up and sends my packet. It is sent into tunnel3. I disconnect tunnel3, packet is sent into tunnel2... I disconnect tunnel2, now packet is sent into tunnel1...

    Case 2 :
    We start from a working situation, all tunnels are up. Packet is sent into tunnel1. Then tunnel2 is rekeying. tunnel2 has both old and new SA tunnels. Packet is now sent into the new tunnel2 .... If we wait long enough for tunnel1 rekeying, as soon as it's done, packet goes back into new tunnel1 and it works !

    I have no damn idea of what's going on, I need help !!


  • Netgate

    Yeah. IPsec doesn't behave like that.

    You should probably start by posting what you have done, not a representation of what you think you have done.

    Post ALL of the traffic selectors. Not just a few.

    How do you know what "tunnel" the traffic is being sent on?