IPSec tunnel - No traffic
-
We have about 15 sites with PFsense endpoints. All on 2.4.4. Some are upgrades and one fresh install.
Traffic doesn't seem to pass thru the tunnels.
Couple things I noticed.-
Tunnels preexisting prior to upgrade to 2..4.4 are fine.
-
New tunnels don't pass traffic
-
On reinstall endpoints I can set up tunnels and establish connection but only pass traffic between new installs not upgrades.
-
-
So you see the tunnels come up at phase 1 and phase 2 in all cases?
Do you see the traffic counters in Status > IPSec increasing at either end if you try to ping across it?
These are all tunnels with pfSense at both ends?
You should at least check that Async-Crypto is disabled in IPSec > Advanced. That is a new option ins 2.4.4 that in the vast majority of cases speeds up ipsec, sometimes significantly. But we are now seeing some situations where it prevents traffic.
Steve
-
All tunnel endpoints are pfsense and Async-Crypto is disabled on all of them by default. The tunnels have zero traffic on them.
-
Hmm,
Do you see any errors in the IPSec log or System log?
If you run packet captures on the IPSec interface and try to ping across the tunnel do you see that traffic?
If not do you see it leaving on the WAN incorrectly?Steve
-
I ran capture on both ipsec and wan. Wan at least shows some of the ipsec tunnel traffic between two endpoints but not traffic. Ipsec is just flat empty. I've never seen packet capture being completely empty.
System logs show no errors for ipsec just a bunch of "activating new task" "nothing to initiate".
Oh yeah so one of the time running packet capture ping came back with destination unreachable. Could this be NAT or routing related? -
If the tunnel is up at phase 1 and phase 2 and the SAs show correctly for subnets you are trying to ping between the IPSec daemon should always grab that traffic.
If it doesn't it would try to send it to the default gateway which is probably your WAN.
The IPSec daemon can be by-passed if you have policy routing rules in place, with gateways defined.Steve
-
We don't use policy routing rules as of yet - not on smaller appliances.
WAN shows the echo request but it never makes it back to IPsec.
FYI. As a temp measure I set up backup tunnels with openvpn that seems the easiest and quest solution. That works but I do prefer IPsec over Openvpn for static tunnels.
-
Hmm, you see the encrypted packets leaving the WAN but nothing on the IPSec interface?
Or am I reading that wrong?
Steve
-
There is no traffic on the IPSec interface but I do see the echo request on the WAN.
Steve, I have to assume you're the same fellow who helped me out a few times before netgate time. Then netgate took over and my support didn't get carried over to netgate at least that's what it seems. Anyways thank you for the attention now on this matter.
-
I could be.
Though I have only ever worked for Netgate doing pfSense support (while getting paid!).If you're seeing the unencrypted ping request leaving the WAN then the IPSec daemon is not seeing that as interesting traffic.
Check in Status > IPSec on the SPDs tab that the traffic selectors are there covering the source and destinations you are pinging.
Steve
-
SPD tabs show both remote and local networks for inbound and outbound.
-
Hmm, can we see the output of
ipsec statusalland the details of the ping that's failing?Steve
-
I have a similar problem with pfSense 2.4.4.
LAN interface stops routing traffic, tunnels stop working after some minutes or sometimes hours
I have multiple Phase 2 tunnels, if i restart a computer in local network or restart IPsec service multiple times and try to ping tunnel remote IP then tunnels start to get packets but after a while traffic stops again.
People had the same problem before : https://forum.netgate.com/topic/98893/pfsense-2-3-lan-interface-stops-routing-traffic-stops-working-after-2-or-3-day
And it was fixed with 2.3.1, i think it was a solution by disabling all but 1 CPU. May it be the same?
-
If it works at all on upgraded devices then you have a different issue. Please start a new thread to address that.
Steve
-
Sorry. Still having this issue I'll try to get some ipsec status printed out this week. It's been busy.
Thank you. -
Just to confirm; the traffic counters on the phase 2 status shows 0 at both ends and in both directions?
Steve
-
You just pointed out to something I never paid attention to.
In lack of time I looked at one of the setups and Connection is established but phase to status is not available on the connection that's not working. -
Ah, phase 1 comes up but not phase 2? Then check for a mismatch there. The IPSec logs should show an error.
Steve
-
No intention of hijacking the thread.
I'm using 2.4.4-RELEASE (amd64)
built on Thu Sep 20 09:33:19 EDT 2018
FreeBSD 11.2-RELEASE-p3I create an ipSec tunnel with identical configuration of others created on a previous rev (2.4.3p1) and the tunnel itself establishes, but no traffic passes through. On the phase 2 items, they're configured in a fashion similar to the other working tunnels. One thing I noticed that was very strange. In Static -> IPsec -> SADs, the whole section on this 2.4.4 instance is EMPTY, but on the others, it's populated with two entries per phase 2 item.
-
The SADs will only appear once the tunnel is up. The SPDs should be be there whether it is up or not though.
If you see no SADs it's not establishing. Check the ipsec logs.
Steve
