IPsec Phase 1 and Phase 2 connected but no routing to tunnel



  • I have established a IPsec to a Fortigate machine. The tunnel reports up and the SADs also report as up. SPDs are shown correctly. But traffic is not routed to the tunnel but to the default route.
    With opther IPsec Tunnels (to pfSense ans SonicWall) the problem does not exist.
    Is there any way to debug the creation of the kernel routs as the routes to IPsec do not appear in the routing tables.
    The only (possible) problem I identified is a spradic error message "IKE_SA checkout not successful"
    Any ideas welcome
    GreyHat



  • Further investigations show that it is not a problem of the fortigate as communications partner.
    I set up a tunnel with identical seetings to another pfSense and the effect war the same.
    The pfSense in question is a team with 2 pfs. I setup the tunnel on the fallback pfSense and it worked immediately. Including routing etc..
    So on a pfSense 2.4.4.p3 with8 GB memory 3 static tunnels with a total of 7 SAs (plus IPsec for mobile) it works fine.
    If anther tunnel with 1 SA is established the routing failes. Is this a problem of some table size?



  • Anybody any experience with a significant number of Tunnels and SAs?



  • Nobody ever tried to use more than 3 tunnels with 7 security associations?


  • LAYER 8 Netgate

    Many, many, many people. Some have hundreds.

    The number of tunnels is a red herring.

    Chances are, your answer lies in the IPsec logs. With the information provided that is the best I can do.



  • I thought so, there have to be installations with many SAs.
    But who really knows. I transferred the settings to an alternative firewall and the tunnel was established immediately and the routing worked. I will try to reconstruct the problem and post the logs


Log in to reply