Need some help with pfSense Site-to-Site IPSec VPN



  • I'm having some trouble configuring a site-to-site IPsec VPN between two pfsense firewalls. The IPsec status screen shows that a Phase 1 connection is established. The Phase 2 status shows traffic leaving the firewall but here is a very little traffic returning, it appears this way on both firewalls.

    I have both firewalls configured to allow ICMP which I've validated by pinging the firewalls public IP addresses. When I try to ping the local LAN address for the other firewall the request times out. I checked the firewall logs and there does not appear to be any traffic being blocked. Both firewalls are configured to allow ESP, as well as ports 500 and 4500. The IPsec firewall configuration is setup to allow any traffic to pass. I've also made sure both pfSense instances are using the same encryption and hashing settings for both phase 1 and phase 2.

    The remote network for phase 2 is set to the other firewall's local network (192.168.1.0/24 and 192.168.2.0/24) Any suggestions on how to debug this from here?

    I've attached the IPsec log and here's a photo of the status screen:

    Annotation 2019-03-24 223649.jpg

    ipsec status.txt

    ipsec_log.txt



  • Hello,

    Can you access remote hosts from your side? Do you have other issues rather than ping requests? Beside this, please attach here the screenshot of "Firewall / Rules / IPSec" of both sides.



  • @emammadov

    I'll get back to you with the screenshots of the IPsec firewall rules for the remote tunnel, but both should be configured like the attached screenshot.

    Annotation 2019-03-26 221140.jpg

    As of right now I'm not able to access any hosts on the remote network, I've tried hitting the remote pfSense console as well as some Web Applications but I haven't had any luck yet.

    Thanks,
    Zach


  • LAYER 8 Netgate

    How are you testing? Where are you pinging from? To?

    You have to ping from something that has a source address in the local network and a remote address in the remote network.

    For instance, if you ping using Diagnostics > Ping you have to set the source address to LAN.



  • Hi,

    So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

    Here are some photos of the configuration, my instance is on the left side of the photos.

    Thanks

    Annotation 2019-03-27 205349.jpg

    Annotation 2019-03-27 205416.jpg

    Annotation 2019-03-27 205507.jpg

    Annotation 2019-03-27 205538.jpg

    Annotation 2019-03-27 205647.jpg

    Annotation 2019-03-27 210310.jpg

    It's also worth mentioning that I'm seeing these messages in the remote gateway:

    Mar 28 01:32:05 charon 05[ENC] <con1000|8> parsed INFORMATIONAL response 11 [ ]
    Mar 28 01:32:05 charon 05[IKE] <con1000|8> activating new tasks
    Mar 28 01:32:05 charon 05[IKE] <con1000|8> nothing to initiate
    Mar 28 01:32:07 charon 05[CFG] vici client 540 connected
    Mar 28 01:32:07 charon 05[CFG] vici client 540 registered for: list-sa
    Mar 28 01:32:07 charon 16[CFG] vici client 540 requests: list-sas
    Mar 28 01:32:07 charon 06[CFG] vici client 540 disconnected
    Mar 28 01:32:13 charon 06[CFG] vici client 541 connected
    Mar 28 01:32:13 charon 06[CFG] vici client 541 registered for: list-sa
    Mar 28 01:32:13 charon 12[CFG] vici client 541 requests: list-sas
    Mar 28 01:32:13 charon 06[CFG] vici client 541 disconnected



  • @zachelks
    Hey
    Hey
    These log messages indicate that you have been to the Webgui page /Status/IPSEC
    Show the rules for Lan interfaces on both sides of the tunnel
    and try disabling tinc on the left side of the tunnel.



  • @Konstanti

    Hi,

    I've disabled the tinc VPN now, but still no luck.

    Here is a screenshot of my rules:

    Annotation 2019-03-28 213547.jpg

    And of the remote gateway:

    Capture.PNG



  • @zachelks
    Hey
    What type of traffic do you have a problem with ?
    Screenshots show that everything is configured correctly
    Try to reduce MSS ( for example , make it equal to 1360)
    VPN/IPsec/Advanced Settings
    adaf9ba9-b650-4463-8f4d-d1f0fec7d9a4-image.png

    or Try to use a Packet Capture to find the place where the IP packets are being lost


  • LAYER 8 Netgate

    @zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

    So I've been testing by pinging the remote gateway from a computer on the network as well as pfSense. I've also tried accessing SMB drives and Web Servers.

    That means nothing to anyone but you. Please detail exact tests that are not working. Details like:

    Source IP address
    Destination IP address
    Protocol (get pings (ICMP) working first)



  • @Derelict @Konstanti

    So the tunnel is mostly working now, I unplugged the AT&T modem and plugged it back in and the tunnel came up. Thanks for your help!

    The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying. I have ping option set to keep the tunnel alive (it's set to 192.168.1.1 and 192.168.2.1) and the Phase 1 and Phase 2 lifetimes are set to the same value.

    I've attached the log from the period where the tunnel is dropping, any ideas how to address this issue?

    ipsec_dropped_connections.txt



  • You need to check how many CHILD_SA were active at the time of the rekeying. Judging by the logs there were 2 numbers 180 and 181 . Instead, 2 new active CHILD_SA numbers 182 and 183 were created.

    I understand this is a problem because there must be one CHILD_SA for each connection.

    Try using The make before break option on the /IPSEC/Advanced settings tab

    e58076cc-de7b-4ce8-b8bb-c06e94b544d7-image.png


  • LAYER 8 Netgate

    @zachelks said in Need some help with pfSense Site-to-Site IPSec VPN:

    The tunnel is mostly working fine, but I'm now seeing the tunnel drop for a couple minutes every hour, I'm thinking it has something to do with the re-keying.

    So look at the IPsec logs surrounding and including one of these time periods and see what is happening.



  • Hi,

    So I ended up resolving this issue, for those who are interested it was an issue with the AT&T modem.

    I have the Arris BGW-210 on both sides of the tunnel. The modem has a setting under Advanced Firewall called ESP ALG, this setting should be disabled if both sides of your tunnel are not behind NAT (pfSense has a public IP).

    Thanks for your help getting this resolved, the tunnel is working great, I'm seeing over 300 mbps between the networks.


Log in to reply