Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel Up, Pings Pass but UDP and TCP Fail

    Scheduled Pinned Locked Moved IPsec
    5 Posts 3 Posters 761 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      MeCJay12
      last edited by MeCJay12

      I'm working to make a full mesh of my four pfSense routers/sites using IPsec tunnels. I'm on my last tunnel and all of a sudden I'm having issue. I created my tunnel P1 and it came up fine. I then went back and created my P2 and restarted the tunnel. It comes back up and I can ping from one side to the other and vise versa. When I try to do a traceroute across the tunnel it fails. If I set tracert to ICMP it will work. I have firewall rules set to allow all on both ends. Both routers already have 2 working tunnels to different routers so I'm a bit confused. I attached firewall rules, P1 config, P2 config, and traceroutes. Thanks in advance.

      Edit: I have been informed my tests should fail in any situation. I re-tested by connecting a laptop to one of the routers and trying to load the web page of the other using the remote tunnel IP. That is also failing.

      Site A
      IPsec FW Rules
      1e9c58e7-b79a-4c34-95d0-ff295a7ef7a1-image.png
      P1 Config
      5f424dc5-f449-4023-a050-169e4e881e1d-image.png
      33d19c19-e14f-4129-90fe-fd4baa64f631-image.png
      P2 Config
      6f966467-f552-42de-bd44-d37046e282ee-image.png
      29c260e0-421a-425a-8269-78aa74befd9b-image.png
      Traceroute UDP
      77bd4d8e-391c-4927-99e2-8fddfb408126-image.png
      Traceroute ICMP
      6abec1db-e601-408f-9d63-513856ca5962-image.png

      Site B
      IPsec FW Rules
      5a155393-facb-4ac8-a3c5-816229641d3d-image.png
      P1 Config
      7352398f-2d43-45a6-bc79-4dd03c29593e-image.png
      a0e12af2-a2ae-4630-adfb-b0ed474234c7-image.png
      P2 Config
      01019a76-5953-4266-b46a-3a11f97c4580-image.png
      5d9ab02e-452a-4995-bb0e-932af55ab143-image.png
      Traceroute UDP
      e3939178-2dd8-48eb-94de-ebbbc5af4070-image.png
      Traceroute ICMP
      901b23ec-f7da-4d94-98fd-934521ee2f31-image.png

      1 Reply Last reply Reply Quote 0
      • S Offline
        scurrier
        last edited by scurrier

        Did you ever figure this out? Same thing is happening to me, but I am not using VTI I am using policy routing (tunnel mode in the phase 2). That should not make a difference, though. I have a feeling our issue is the same. It's frustrating because at first I thought I had MTU / MSS issues, but now it seems that perhaps it is protocol dependent.

        1 Reply Last reply Reply Quote 0
        • S Offline
          scurrier
          last edited by

          Actually, for me, traceroute with UDP and ICMP are working, but TCP is not. Seems that TCP replies are not coming back, based on packet capture.

          G 1 Reply Last reply Reply Quote 0
          • M Offline
            MeCJay12
            last edited by

            I think eventually it just fixed itself or I rebuilt tunnels/routers until it worked. My recent experience with ipsec tunnels in pfSense has been very hit or miss. A lot of weird issue like this that never really get fixed they just magically start working or don't. You can't check my post history for my ipsec issues.

            1 Reply Last reply Reply Quote 0
            • G Offline
              graciejane @scurrier
              last edited by graciejane

              @scurrier I think I have the same issue.

              https://forum.netgate.com/topic/155727/site-to-site-ipsec-suspect-not-passing-tcp-traffic

              How did you make traceroute use a specific protocol?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.