Mobile IPsec clients cannot see traffic from LAN

warrenfalk

LAN: 10.10.10.0/24
IPsec: 10.10.12.0/24

pfSense: 10.10.10.1
IPsec Host: 10.10.12.1
LAN Host: 10.10.10.20

Packets from the IPsec host reach the LAN host, but packets from the LAN host never reach the IPsec host.

For example, during a ping from the IPsec host 10.10.12.1 to the LAN host 10.10.10.20, the ICMP echo request reaches 10.10.10.20, which sends a reply. The ICMP echo reply reaches pfSense and be seen on the LAN interface (see below):

[2.4.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -ni ue0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ue0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:53:43.579030 IP 10.10.12.1 > 10.10.10.20: ICMP echo request, id 108, seq 1, length 64
13:53:43.579443 IP 10.10.10.20 > 10.10.12.1: ICMP echo reply, id 108, seq 1, length 64
13:53:44.595713 IP 10.10.12.1 > 10.10.10.20: ICMP echo request, id 108, seq 2, length 64
13:53:44.596197 IP 10.10.10.20 > 10.10.12.1: ICMP echo reply, id 108, seq 2, length 64
13:53:45.603382 IP 10.10.12.1 > 10.10.10.20: ICMP echo request, id 108, seq 3, length 64
13:53:45.603821 IP 10.10.10.20 > 10.10.12.1: ICMP echo reply, id 108, seq 3, length 64

But if we watch the IPsec interface, we only see the requests going out. The ICMP echo replies never show up on the IPsec interface (the last place we see them is on the LAN interface).

Requests only, no replies on IPsec interface (?)

[2.4.4-RELEASE][root@pfSense.localdomain]/root: tcpdump -ni enc0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enc0, link-type ENC (OpenBSD encapsulated IP), capture size 262144 bytes
13:53:43.578991 (authentic,confidential): SPI 0xcb9f807f: IP 10.10.12.1 > 10.10.10.20: ICMP echo request, id 108, seq 1, length 64
13:53:44.595679 (authentic,confidential): SPI 0xcb9f807f: IP 10.10.12.1 > 10.10.10.20: ICMP echo request, id 108, seq 2, length 64
13:53:45.603340 (authentic,confidential): SPI 0xcb9f807f: IP 10.10.12.1 > 10.10.10.20: ICMP echo request, id 108, seq 3, length 64

I have rules to pass any/any/any on IPsec and LAN:

Screenshot from 2020-01-01 14-09-28.png

Screenshot from 2020-01-01 14-07-49.png

So I believe maybe this is a routing issue. Here's my routing table:

[2.4.4-RELEASE][root@pfSense.localdomain]/root: netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.181.160.1      UGS         em0
10.10.10.0/24      link#6             U           ue0
10.10.10.1         link#6             UHS         lo0
10.10.11.0/24      10.10.11.2         UGS      ovpns1
10.10.11.1         link#7             UHS         lo0
10.10.11.2         link#7             UH       ovpns1
127.0.0.1          link#3             UH          lo0
192.168.10.0/24    link#6             U           ue0
192.168.10.50      link#6             UHS         lo0
192.181.160.0/19   link#1             U           em0
192.181.169.71     link#1             UHS         lo0
209.18.47.61       1c:b0:44:fe:0f:13  UHS         em0
209.18.47.63       1c:b0:44:fe:0f:13  UHS         em0

But I have been unable to direct pfSense to send the traffic to the IPsec interface.

(As an aside, one interesting fact is that I also have an OpenVPN set up and the OpenVPN hosts, 10.10.11.0/24, CAN communicate with the IPsec hosts. It is only the LAN hosts which cannot)

Derelict

My first thought is your USB ethernet is misbehaving.

How is your IPsec tunnel configured?