IPSEC Tunnel works only when IP is static

erosalesMBGE · Jul 4, 2018, 2:26 PM

Hi all,

There is a PFSense Firewall configured in my company (old version 2.2.5-RELEASE) in AWS. The LAN of the FW is a /24 network. However in the tunnel we modify it to local subnet to be /23. When the tunnel come up and try traffic test it only works when the destination host have the IP Static, not work even when the IP is in the subnet range but not static.

Can anybody help on this, please?

bepo · Jul 5, 2018, 7:48 AM

Please specify whats "not static". Do you mean in case of dhcp? Is the gateway from dhcp server correct?

jimp · Jul 5, 2018, 1:39 PM

Upgrade to a current supported release, 2.2.5 has been outdated for nearly three years.
IPsec has no way to know what is static vs dynamic. It only knows what does or does not match its Phase 2 definitions.

You'll need to provide more information about the design of the network and what you're trying to do in order to make any kind of accurate guess about what is happening.

For example, If LAN is a /24, and IPsec is set to /23, where is the other segment of that network? Can you give any examples about the addresses and how they are configured?

erosalesMBGE · Jul 6, 2018, 2:28 PM

Hi,

The netowrk in our AWS is a /16, but the subnets are divided into /24. In the Phase 2 I modified the local network to be /23 to reach 2 subnets in AWS. I have one server in each subnet let's say .40.0/24 and .41.0/24.
AWS asign the IP to servers via DHCP but if set the IP to static in the operating system the tunnel can reach it only the 40.0/24, if not set to static does not reach it. The subnet 41.0/24 does not reach it at any time, static or DHCP.

jimp · Jul 6, 2018, 2:32 PM

That sounds more like it might be an issue with your AWS networking and nothing to do with pfSense. Are you certain dynamically assigned hosts, or hosts in that other /24 segment, are sending traffic to pfSense?

erosalesMBGE · Jul 6, 2018, 2:41 PM

The tunnel only work when the IP in the server is set manually but only in the 40.0/24 segment, dynamically don't work. The segment 41.0/24 does not send traffic to pfsense at all, even when the /23 is set up in Phase 2. Due to Policies and Prod enviroments working in another tunnels i can update the version.