Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec tunnel - No traffic

    Scheduled Pinned Locked Moved IPsec
    49 Posts 7 Posters 13.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bpados
      last edited by

      We have about 15 sites with PFsense endpoints. All on 2.4.4. Some are upgrades and one fresh install.

      Traffic doesn't seem to pass thru the tunnels.
      Couple things I noticed.

      • Tunnels preexisting prior to upgrade to 2..4.4 are fine.

      • New tunnels don't pass traffic

      • On reinstall endpoints I can set up tunnels and establish connection but only pass traffic between new installs not upgrades.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        So you see the tunnels come up at phase 1 and phase 2 in all cases?

        Do you see the traffic counters in Status > IPSec increasing at either end if you try to ping across it?

        These are all tunnels with pfSense at both ends?

        You should at least check that Async-Crypto is disabled in IPSec > Advanced. That is a new option ins 2.4.4 that in the vast majority of cases speeds up ipsec, sometimes significantly. But we are now seeing some situations where it prevents traffic.

        Steve

        1 Reply Last reply Reply Quote 0
        • B
          bpados
          last edited by

          All tunnel endpoints are pfsense and Async-Crypto is disabled on all of them by default. The tunnels have zero traffic on them.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Hmm,
            Do you see any errors in the IPSec log or System log?
            If you run packet captures on the IPSec interface and try to ping across the tunnel do you see that traffic?
            If not do you see it leaving on the WAN incorrectly?

            Steve

            1 Reply Last reply Reply Quote 0
            • B
              bpados
              last edited by

              I ran capture on both ipsec and wan. Wan at least shows some of the ipsec tunnel traffic between two endpoints but not traffic. Ipsec is just flat empty. I've never seen packet capture being completely empty.
              System logs show no errors for ipsec just a bunch of "activating new task" "nothing to initiate".
              Oh yeah so one of the time running packet capture ping came back with destination unreachable. Could this be NAT or routing related?

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                If the tunnel is up at phase 1 and phase 2 and the SAs show correctly for subnets you are trying to ping between the IPSec daemon should always grab that traffic.
                If it doesn't it would try to send it to the default gateway which is probably your WAN.
                The IPSec daemon can be by-passed if you have policy routing rules in place, with gateways defined.

                Steve

                1 Reply Last reply Reply Quote 0
                • B
                  bpados
                  last edited by

                  We don't use policy routing rules as of yet - not on smaller appliances.

                  WAN shows the echo request but it never makes it back to IPsec.

                  FYI. As a temp measure I set up backup tunnels with openvpn that seems the easiest and quest solution. That works but I do prefer IPsec over Openvpn for static tunnels.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    Hmm, you see the encrypted packets leaving the WAN but nothing on the IPSec interface?

                    Or am I reading that wrong?

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • B
                      bpados
                      last edited by

                      There is no traffic on the IPSec interface but I do see the echo request on the WAN.

                      Steve, I have to assume you're the same fellow who helped me out a few times before netgate time. Then netgate took over and my support didn't get carried over to netgate at least that's what it seems. Anyways thank you for the attention now on this matter.

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        I could be. 😉 Though I have only ever worked for Netgate doing pfSense support (while getting paid!).

                        If you're seeing the unencrypted ping request leaving the WAN then the IPSec daemon is not seeing that as interesting traffic.

                        Check in Status > IPSec on the SPDs tab that the traffic selectors are there covering the source and destinations you are pinging.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • B
                          bpados
                          last edited by

                          SPD tabs show both remote and local networks for inbound and outbound.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Hmm, can we see the output of ipsec statusall and the details of the ping that's failing?

                            Steve

                            1 Reply Last reply Reply Quote 0
                            • E
                              e066377
                              last edited by e066377

                              I have a similar problem with pfSense 2.4.4.

                              LAN interface stops routing traffic, tunnels stop working after some minutes or sometimes hours

                              I have multiple Phase 2 tunnels, if i restart a computer in local network or restart IPsec service multiple times and try to ping tunnel remote IP then tunnels start to get packets but after a while traffic stops again.

                              People had the same problem before : https://forum.netgate.com/topic/98893/pfsense-2-3-lan-interface-stops-routing-traffic-stops-working-after-2-or-3-day

                              And it was fixed with 2.3.1, i think it was a solution by disabling all but 1 CPU. May it be the same?

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                If it works at all on upgraded devices then you have a different issue. Please start a new thread to address that.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • B
                                  bpados
                                  last edited by

                                  Sorry. Still having this issue I'll try to get some ipsec status printed out this week. It's been busy.
                                  Thank you.

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    Just to confirm; the traffic counters on the phase 2 status shows 0 at both ends and in both directions?

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      bpados
                                      last edited by

                                      You just pointed out to something I never paid attention to.
                                      In lack of time I looked at one of the setups and Connection is established but phase to status is not available on the connection that's not working.

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Ah, phase 1 comes up but not phase 2? Then check for a mismatch there. The IPSec logs should show an error.

                                        Steve

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          Markadaca
                                          last edited by

                                          No intention of hijacking the thread.
                                          I'm using 2.4.4-RELEASE (amd64)
                                          built on Thu Sep 20 09:33:19 EDT 2018
                                          FreeBSD 11.2-RELEASE-p3

                                          I create an ipSec tunnel with identical configuration of others created on a previous rev (2.4.3p1) and the tunnel itself establishes, but no traffic passes through. On the phase 2 items, they're configured in a fashion similar to the other working tunnels. One thing I noticed that was very strange. In Static -> IPsec -> SADs, the whole section on this 2.4.4 instance is EMPTY, but on the others, it's populated with two entries per phase 2 item.

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            The SADs will only appear once the tunnel is up. The SPDs should be be there whether it is up or not though.

                                            If you see no SADs it's not establishing. Check the ipsec logs.

                                            Steve

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.