IPSEC tunnel config works on 2.4.3p1, not on 2.4.4p1



  • We have 2 pfsense-devices at one site:

    SG-2440, pfsense 2.4.3p1 : production box : IPSEC tunnel works great
    SG-3100, pfsense 2.4.4p1 : temporary fallback : IPSEC tunnel does not come up

    today we exported the config from the 2440 and imported (and adjusted interfaces etc) to 3100.
    (we wanted to prepare the 2nd fw to be able to upgrade the production hardware)

    3100 comes up fine, internet connectivity, DHCP, DNS, you name it: OK
    even the IPSEC tunnels to our own other sites come up fine.

    Only the one (and most important) tunnel to our ASP does not come up on the 3100.
    There are no obvious errors or warnings ... just no tunnel ...

    If we plug back to 2440: tunnel up immediately.

    The ASP-admin told us he doesn't see any connection attempt from our IP.
    hmm...

    Right now I have the 3100 connected there, I can ssh and access the WebGUI.

    The tunnel is displayed as "Connecting" ... I already tried to restart, reload etc on shell and GUI, re-saved the config, etc

    And another observation: on a 2nd site we also run pfsense-2.4.4p1 and a tunnel to the same ASP (separate config). There it works without problems.

    I compared the configs, same encryption parameters etc ... we toggled hw encryption, checked fw logs ...

    Pls advise how to proceed, for now the 3100 is connected and the box is remote, so I can't swap boxes until monday. I assume I should provide logs etc, let me know what helps most.

    thanks, Stefan



  • Some first and anonymized status to look at:

    # ipsec statusall
    Status of IKE charon daemon (strongSwan 5.7.1, FreeBSD 11.2-RELEASE-p4, arm):
      uptime: 6 hours, since Jan 04 12:27:15 2019
      worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
      loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock counters
    Listening IP addresses:
      192.168.187.0
      192.168.187.1
      $MY_WAN_IP
      172.31.90.1
    Connections:
       bypasslan:  %any...%any  IKEv1/2
       bypasslan:   local:  uses public key authentication
       bypasslan:   remote: uses public key authentication
       bypasslan:   child:  192.168.187.0/24|/0 === 192.168.187.0/24|/0 PASS
         con2000:  $MY_WAN_IP...$THEIR_VPN_GW_IP  IKEv1, dpddelay=10s
         con2000:   local:  [$MY_WAN_IP] uses pre-shared key authentication
         con2000:   remote: [$THEIR_VPN_GW_IP] uses pre-shared key authentication
         con2000:   child:  192.168.187.0/24|/0 === 10.193.103.0/24|/0 TUNNEL, dpdaction=restart
    Shunted Connections:
       bypasslan:  192.168.187.0/24|/0 === 192.168.187.0/24|/0 PASS
    Routed Connections:
         con2000{7}:  ROUTED, TUNNEL, reqid 7
         con2000{7}:   192.168.187.0/24|/0 === 10.193.103.0/24|/0
    Security Associations (0 up, 1 connecting):
         con2000[10]: CONNECTING, $MY_WAN_IP[%any]...$THEIR_VPN_GW_IP[%any]
         con2000[10]: IKEv1 SPIs: 8b06ac22a80c487f_i* 0000000000000000_r
         con2000[10]: Tasks queued: QUICK_MODE QUICK_MODE 
         con2000[10]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
    

    EDIT:

    Tried a Packet Capture now: started it on WAN and filtered for the IP of the remote VPN-gateway. After starting the capture I clicked on "Connect" in my IPSEC status to trigger some activity. At first only one packet outgoing (port 500) and no reply. 2nd try no traffic captured at all.

    Could it be that the remote gateway somehow detects my change of hardware and filters traffic? I can ping that IP but only get https in nmap ...



  • @sgw said in IPSEC tunnel config works on 2.4.3p1, not on 2.4.4p1:

    Could it be that the remote gateway somehow detects my change of hardware and filters traffic? I can ping that IP but only get https in nmap ...

    seems like: we then tried swapping pfsenses again and additionally rebooted the Hitron "modem" in front of the pfsense. Tunnel came up immediately. So I assume there are some MAC-based filters built at bootup or something like that.


  • LAYER 8 Netgate

    @sgw said in IPSEC tunnel config works on 2.4.3p1, not on 2.4.4p1:

    seems like: we then tried swapping pfsenses again and additionally rebooted the Hitron "modem" in front of the pfsense. Tunnel came up immediately. So I assume there are some MAC-based filters built at bootup or something like that.

    Right. On the modem. You always have to reboot an upstream ISP device when you change the hardware behind it. Or at least it's a good idea especially if you have problems changing devices around.

    I usually:

    1. Disconnect the WAN patch cable between the modem and the WAN port
    2. Power cycle the upstream device and let it sync up and "go green" again
    3. Connect the modem to the new WAN port.

    This is primarily for normal US cable modems. Any ISP "Residential Gateway" might have other requirements.