IPsec tunnel established but no traffic because of missing route



  • I setup a site-to-site IPsec tunnel that works ?!? (see Status - IPsec - Overview/SAD/SPD).

    Log: racoon: []: INFO: IPsec-SA established: ESP x.x.x.x[0]->172.16.0.2[0] spi=22121990(0x1518e06)

    But I can't ping from site to site.

    I looked into the routing table of pfSense and there is no route to the other LAN through the IPsec tunnel.

    Do I need to add a route somewhere?


  • Rebel Alliance Developer Netgate

    No route will show up there for an IPSec tunnel, at least none of mine do.

    Did you add firewall rules to allow traffic on the tunnel? (Firewall > Rules, IPSec tab)



  • OK.

    Yes, ik have 1 rule at IPsec:  Allow  * * * * * *

    Ik can't tracert to an ip-adres at the other site. The route is going to the internet en not through the tunnel?!?


  • Rebel Alliance Developer Netgate

    Are you trying to traceroute from the pfSense box? Or a system on your LAN?

    Going out from the pfSense box won't work, as it doesn't properly route that way, and that is expected. See this article in the Doc Wiki for more info and a workaround.

    If you are trying from a system on your LAN and no traffic is passing, you might double check that your local and remote subnet definitions match exactly on both sides. I have heard of similar problems in the past when one side had, for example, 192.168.0.0/24, and the other had 192.168.0.1/24.



  • I did a traceroute from  a system on my LAN.

    Here are my definitions:

    Site1 (LAN: 192.168.100.0/24):
    Local subnet = LAN subnet
    Remote subnet = 192.168.50.0/24
    Remote gateway = public IP of Site2

    Site2 (LAN: 192.168.50.0/24):
    Local subnet = LAN subnet
    Remote subnet = 192.168.100.0/24
    Remote gateway = public IP of Site1

    Log from Site1 when I ping 192.168.50.1 with no respons:

    Mar 4 21:36:03 racoon: []: INFO: IPsec-SA established: ESP 172.16.0.2[500]->pub-ip-site2[500] spi=170524941(0xa2a010d)
    Mar 4 21:36:03 racoon: []: INFO: IPsec-SA established: ESP pub-ip-site2[0]->172.16.0.2[0] spi=216211745(0xce32121)
    Mar 4 21:36:03 racoon: []: INFO: IPsec-SA expired: ESP 172.16.0.2[0]->pub-ip-site2[0] spi=58720189(0x37fffbd)
    Mar 4 21:36:03 racoon: []: INFO: respond new phase 2 negotiation: 172.16.0.2[500]<=>pub-ip-site2[500]
    Mar 4 21:36:03 racoon: []: INFO: ISAKMP-SA established 172.16.0.2[500]-pub-ip-site2[500] spi:86a8412b69c36a93:46ca4c9e3ba5126a
    Mar 4 21:36:03 racoon: WARNING: No ID match.
    Mar 4 21:36:02 racoon: INFO: received Vendor ID: DPD
    Mar 4 21:36:02 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Mar 4 21:36:02 racoon: INFO: begin Identity Protection mode.
    Mar 4 21:36:02 racoon: []: INFO: respond new phase 1 negotiation: 172.16.0.2[500]<=>pub-ip-site2[500]



  • No routing to be configured here. If tunnel is established then nothing is wrong with tunnel setup (ranges match).
    From machine connected to LAN of Site1 ping some LAN address from site two and trace ESP packets on your WAN interface. At lease you will see whether Site1 sends encrypted traffic to Site2 and if it does then apparently Site2 does not respond.
    I suppose you've created rule on site1 allowing ICMP from LAN1 to LAN2 range.



  • I've only added a rule at the IPsec tab to Allow all. Do I need to create more rules at the Lan or Wan tab?

    And how do trace ESP packets?



  • @Sateetje:

    I've only added a rule at the IPsec tab to Allow all. Do I need to create more rules at the Lan or Wan tab?

    And how do trace ESP packets?

    The rules you are using depend on you needs. For testing allow all is very good rule.
    And you have to allow ICMP traffic from Site1 lan to Site2 lan on pfSense.Site1 rules LAN tab (for pings from Site1 to Site2).

    trace it like this (if you have only one IPsec tunnel)
    tcpdump -i emX -n esp

    or if you do not have any other traffic between sites:
    tcpdump -i emX -n host <site2 public="" ip="">*** replace emX with your real WAN interface name ***</site2>



  • I added an allow everything rule on the LAN interface of site1.

    Then I started a ping a site1 to site2. But no reply.

    Here are my traces:

    172.16.0.2 = WAN address of pfsense site1
    172.16.2.2 = WAN address of pfsense site2

    site1-ip = WAN address of modem/router (NAT device) (eg 80.101.x.x)
    site2-ip = WAN address of modem/router (NAT device) (eg 80.101.x.x)

    site1:
    22:55:16.085621 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x20), length 132
    22:55:17.093308 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x21), length 132
    22:55:18.103301 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x22), length 132
    22:55:29.195391 IP 172.16.0.2 > site2-ip: ESP(spi=0x06baad6a,seq=0x23), length 132

    site2:
    22:55:16.085654 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x20), length 132
    22:55:16.086596 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x14d), length 132
    22:55:17.094322 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x21), length 132
    22:55:17.094870 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x14e), length 132
    22:55:18.101993 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x22), length 132
    22:55:18.102528 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x14f), length 132
    22:55:29.200274 IP site1-ip > 172.16.2.2: ESP(spi=0x06baad6a,seq=0x23), length 132
    22:55:29.201113 IP 172.16.2.2 > site1-ip: ESP(spi=0x0a7bbf73,seq=0x150), length 132

    What could be the problem?



  • Well, according to your traces Site2 replies to Site1 but Site1 does not recieve these replies.
    We could guess about some routing issue but this is not the case as phase 1 goes perfectly.
    Puzzled. What is in between these firewalls?



  • I am having a similar issue with my vpn setup.  I have setup a vpn between a cisco device and pfsense and it works.  But when I set up a VPN between endian and pfsense, it does not work.



  • Site1:
    LAN -> pfsense (NAT) -> Cisco 827 12.3 IOS (NAT) -> provider

    Site2:
    LAN -> pfsense (NAT) -> Dratek Vigor 2800 (NAT) -> provider

    (Site1 en Site2 does have the same provider)



  • I have a 8 vpn tunnels and they all have different endpoint devices.  I have built 5 basic rules per tunnel and then have more complicated rules for other tunnels.  I am currently running on version 1.2 and or 1.2.1.  It works fine for me.

    I have Symantec 320, Linksys devices, and the new GB Linksys vpn endpoint device, and netgear vpn devices.  I have tested with serveral other devices with no issue.  I do have one customer that if his firewall goes down I do loose connection.

    Overall it works great.
    RC



  • Sateetje, I gave you idea: ESP packets from site2 do not reach site1. I doubt that this is provider's issue. Double check your Cisco and Dratek configs. BTW not too many NATs  ;) ?



  • Is it possible to skip double NAT (transparent pfsense)?

    Are there setting for the Cisco that I should check? The Draytek only has a webinterface and one setting for redirect everything (DMZ host).



  • you can turn off NATting at pfSense - just do not configure it. And pfSense will work as router filtering packets according to defined rules. But I suspect you problem is in Draytek or Cisco configs. To find out exactly who is causing problems put packet sniffer at Cisco's and Dratek's WAN's and see what is going on there.



  • On the Draytek there is an option to passthrough IPSec: srv nat ipsecpass on

    But another problem, I can't use RDP. It has to do something with the MTU-size. The largest packet I can ping is 1394 bytes. How do I set the right MTU-sizes?



  • I got my ipsec implemtation working, it was an issue with the routes of the computer I was testing with…


Log in to reply