Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some help with pfSense Site-to-Site IPSec VPN

    Scheduled Pinned Locked Moved IPsec
    13 Posts 4 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zachelks
      last edited by zachelks

      I'm having some trouble configuring a site-to-site IPsec VPN between two pfsense firewalls. The IPsec status screen shows that a Phase 1 connection is established. The Phase 2 status shows traffic leaving the firewall but here is a very little traffic returning, it appears this way on both firewalls.

      I have both firewalls configured to allow ICMP which I've validated by pinging the firewalls public IP addresses. When I try to ping the local LAN address for the other firewall the request times out. I checked the firewall logs and there does not appear to be any traffic being blocked. Both firewalls are configured to allow ESP, as well as ports 500 and 4500. The IPsec firewall configuration is setup to allow any traffic to pass. I've also made sure both pfSense instances are using the same encryption and hashing settings for both phase 1 and phase 2.

      The remote network for phase 2 is set to the other firewall's local network (192.168.1.0/24 and 192.168.2.0/24) Any suggestions on how to debug this from here?

      I've attached the IPsec log and here's a photo of the status screen:

      Annotation 2019-03-24 223649.jpg

      ipsec status.txt

      ipsec_log.txt

      1 Reply Last reply Reply Quote 0
      • emammadovE
        emammadov
        last edited by emammadov

        Hello,

        Can you access remote hosts from your side? Do you have other issues rather than ping requests? Beside this, please attach here the screenshot of "Firewall / Rules / IPSec" of both sides.

        Elvin

        Z 1 Reply Last reply Reply Quote 0
        • Z
          zachelks @emammadov
          last edited by zachelks

          @emammadov

          I'll get back to you with the screenshots of the IPsec firewall rules for the remote tunnel, but both should be configured like the attached screenshot.

          Annotation 2019-03-26 221140.jpg

          As of right now I'm not able to access any hosts on the remote network, I've tried hitting the remote pfSense console as well as some Web Applications but I haven't had any luck yet.

          Thanks,
          Zach

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            How are you testing? Where are you pinging from? To?

            You have to ping from something that has a source address in the local network and a remote address in the remote network.

            For instance, if you ping using Diagnostics > Ping you have to set the source address to LAN.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • Z
              zachelks
              last edited by zachelks

              Hi,

              So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

              Here are some photos of the configuration, my instance is on the left side of the photos.

              Thanks

              Annotation 2019-03-27 205349.jpg

              Annotation 2019-03-27 205416.jpg

              Annotation 2019-03-27 205507.jpg

              Annotation 2019-03-27 205538.jpg

              Annotation 2019-03-27 205647.jpg

              Annotation 2019-03-27 210310.jpg

              It's also worth mentioning that I'm seeing these messages in the remote gateway:

              Mar 28 01:32:05 charon 05[ENC] <con1000|8> parsed INFORMATIONAL response 11 [ ]
              Mar 28 01:32:05 charon 05[IKE] <con1000|8> activating new tasks
              Mar 28 01:32:05 charon 05[IKE] <con1000|8> nothing to initiate
              Mar 28 01:32:07 charon 05[CFG] vici client 540 connected
              Mar 28 01:32:07 charon 05[CFG] vici client 540 registered for: list-sa
              Mar 28 01:32:07 charon 16[CFG] vici client 540 requests: list-sas
              Mar 28 01:32:07 charon 06[CFG] vici client 540 disconnected
              Mar 28 01:32:13 charon 06[CFG] vici client 541 connected
              Mar 28 01:32:13 charon 06[CFG] vici client 541 registered for: list-sa
              Mar 28 01:32:13 charon 12[CFG] vici client 541 requests: list-sas
              Mar 28 01:32:13 charon 06[CFG] vici client 541 disconnected

              K DerelictD 2 Replies Last reply Reply Quote 0
              • K
                Konstanti @zachelks
                last edited by Konstanti

                @zachelks
                Hey
                Hey
                These log messages indicate that you have been to the Webgui page /Status/IPSEC
                Show the rules for Lan interfaces on both sides of the tunnel
                and try disabling tinc on the left side of the tunnel.

                Z 1 Reply Last reply Reply Quote 0
                • Z
                  zachelks @Konstanti
                  last edited by zachelks

                  @Konstanti

                  Hi,

                  I've disabled the tinc VPN now, but still no luck.

                  Here is a screenshot of my rules:

                  Annotation 2019-03-28 213547.jpg

                  And of the remote gateway:

                  Capture.PNG

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    Konstanti @zachelks
                    last edited by Konstanti

                    @zachelks
                    Hey
                    What type of traffic do you have a problem with ?
                    Screenshots show that everything is configured correctly
                    Try to reduce MSS ( for example , make it equal to 1360)
                    VPN/IPsec/Advanced Settings
                    adaf9ba9-b650-4463-8f4d-d1f0fec7d9a4-image.png

                    or Try to use a Packet Capture to find the place where the IP packets are being lost

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate @zachelks
                      last edited by

                      @zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

                      So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

                      That means nothing to anyone but you. Please detail exact tests that are not working. Details like:

                      Source IP address
                      Destination IP address
                      Protocol (get pings (ICMP) working first)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      Z 1 Reply Last reply Reply Quote 0
                      • Z
                        zachelks @Derelict
                        last edited by zachelks

                        @Derelict @Konstanti

                        So the tunnel is mostly working now, I unplugged the AT&T modem and plugged it back in and the tunnel came up. Thanks for your help!

                        The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying. I have ping option set to keep the tunnel alive (it's set to 192.168.1.1 and 192.168.2.1) and the Phase 1 and Phase 2 lifetimes are set to the same value.

                        I've attached the log from the period where the tunnel is dropping, any ideas how to address this issue?

                        ipsec_dropped_connections.txt

                        K DerelictD 2 Replies Last reply Reply Quote 0
                        • K
                          Konstanti @zachelks
                          last edited by Konstanti

                          You need to check how many CHILD_SA were active at the time of the rekeying. Judging by the logs there were 2 numbers 180 and 181 . Instead, 2 new active CHILD_SA numbers 182 and 183 were created.

                          I understand this is a problem because there must be one CHILD_SA for each connection.

                          Try using The make before break option on the /IPSEC/Advanced settings tab

                          e58076cc-de7b-4ce8-b8bb-c06e94b544d7-image.png

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate @zachelks
                            last edited by

                            @zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

                            The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying.

                            So look at the IPsec logs surrounding and including one of these time periods and see what is happening.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • Z
                              zachelks
                              last edited by

                              Hi,

                              So I ended up resolving this issue, for those who are interested it was an issue with the AT&T modem.

                              I have the Arris BGW-210 on both sides of the tunnel. The modem has a setting under Advanced Firewall called ESP ALG, this setting should be disabled if both sides of your tunnel are not behind NAT (pfSense has a public IP).

                              Thanks for your help getting this resolved, the tunnel is working great, I'm seeing over 300 mbps between the networks.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.