Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPsec VPN StS - no traffic

    IPsec
    1
    1
    65
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rafael Santos 92 last edited by

      Hello everyone,
      I got a problem on a IPsec tunnel between 2 branchs. What happen is: tunnel is up, I can ping devices on both sides but can't connect to them. For example I can't make RDP connections between the sides. I tried everything, changed encryption algorithm, auth methods, etc.
      What makes it stranger is that I got others tunnels working on both sides with no problem.
      IPsec rule is set * to * in both Firewalls, outbound NAT is automatic created (even tried with hybrid and still no luck).

      P1 config:
      p1.jpg

      P2 config:
      p2.jpg

      Same config on the other endpoint (obviously source/destination are inverse).

      I even capture packets while testing and tried to analyse it on Wireshark, but I dont know exactly how to.

      No.	Time	Source	Destination	Protocol	Length	Info
      1	0.000000	192.168.5.5	192.168.2.5	ICMP	72	Echo (ping) request  id=0x0002, seq=31022/11897, ttl=127 (reply in 2)
      2	0.000378	192.168.2.5	192.168.5.5	ICMP	72	Echo (ping) reply    id=0x0002, seq=31022/11897, ttl=127 (request in 1)
      3	1.014671	192.168.5.5	192.168.2.5	ICMP	72	Echo (ping) request  id=0x0002, seq=31023/12153, ttl=127 (reply in 4)
      4	1.014990	192.168.2.5	192.168.5.5	ICMP	72	Echo (ping) reply    id=0x0002, seq=31023/12153, ttl=127 (request in 3)
      5	2.028549	192.168.5.5	192.168.2.5	ICMP	72	Echo (ping) request  id=0x0002, seq=31024/12409, ttl=127 (reply in 6)
      6	2.028857	192.168.2.5	192.168.5.5	ICMP	72	Echo (ping) reply    id=0x0002, seq=31024/12409, ttl=127 (request in 5)
      7	3.042263	192.168.5.5	192.168.2.5	ICMP	72	Echo (ping) request  id=0x0002, seq=31025/12665, ttl=127 (reply in 8)
      8	3.042583	192.168.2.5	192.168.5.5	ICMP	72	Echo (ping) reply    id=0x0002, seq=31025/12665, ttl=127 (request in 7)
      9	14.066480	192.168.5.5	192.168.2.5	TCP	64	60132 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
      10	14.066812	192.168.2.5	192.168.5.5	TCP	64	3389 → 60132 [SYN, ACK, ECN] Seq=0 Ack=1 Win=64000 Len=0 MSS=1460 WS=1 SACK_PERM=1
      11	14.069804	192.168.5.5	192.168.2.5	TCP	52	60132 → 3389 [ACK] Seq=1 Ack=1 Win=1051136 Len=0
      12	14.070182	192.168.5.5	192.168.2.5	TLSv1.2	99	Ignored Unknown Record
      13	14.075407	192.168.2.5	192.168.5.5	TLSv1.2	71	Ignored Unknown Record
      14	14.086762	192.168.5.5	192.168.2.5	TCP	52	60132 → 3389 [ACK] Seq=48 Ack=20 Win=1051136 Len=0
      15	16.824950	192.168.5.5	192.168.2.5	TLSv1.2	236	Client Hello
      16	16.829089	192.168.2.5	192.168.5.5	TCP	52	3389 → 60132 [ACK] Seq=20 Ack=232 Win=63769 Len=0
      17	16.831388	192.168.2.5	192.168.5.5	TLSv1.2	1249	Server Hello, Certificate, Server Key Exchange, Server Hello Done
      18	16.847789	192.168.5.5	192.168.2.5	TCP	52	60132 → 3389 [ACK] Seq=232 Ack=1217 Win=1049856 Len=0
      19	16.848289	192.168.5.5	192.168.2.5	TLSv1.2	234	Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
      20	16.852019	192.168.2.5	192.168.5.5	TLSv1.2	159	Change Cipher Spec, Encrypted Handshake Message
      21	16.855845	192.168.5.5	192.168.2.5	TLSv1.2	185	Application Data
      22	16.856661	192.168.2.5	192.168.5.5	TLSv1.2	393	Application Data
      23	16.861601	192.168.5.5	192.168.2.5	TLSv1.2	777	Application Data
      24	16.864061	192.168.2.5	192.168.5.5	TLSv1.2	185	Application Data
      25	16.867408	192.168.5.5	192.168.2.5	TCP	52	60132 → 3389 [FIN, ACK] Seq=1272 Ack=1798 Win=1050880 Len=0
      26	16.867652	192.168.2.5	192.168.5.5	TCP	52	3389 → 60132 [ACK] Seq=1798 Ack=1273 Win=64240 Len=0
      27	16.867725	192.168.2.5	192.168.5.5	TCP	52	3389 → 60132 [RST, ACK] Seq=1798 Ack=1273 Win=0 Len=0
      28	16.880864	192.168.5.5	192.168.2.5	TCP	64	60135 → 3389 [SYN, ECN, CWR] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
      29	16.881185	192.168.2.5	192.168.5.5	TCP	64	3389 → 60135 [SYN, ACK, ECN] Seq=0 Ack=1 Win=64000 Len=0 MSS=1460 WS=1 SACK_PERM=1
      30	16.883322	192.168.5.5	192.168.2.5	TCP	52	60135 → 3389 [ACK] Seq=1 Ack=1 Win=1051136 Len=0
      31	16.883713	192.168.5.5	192.168.2.5	TLSv1.2	99	Ignored Unknown Record
      32	16.887822	192.168.2.5	192.168.5.5	TLSv1.2	71	Ignored Unknown Record
      33	16.891909	192.168.5.5	192.168.2.5	TLSv1.2	236	Client Hello
      34	16.898138	192.168.2.5	192.168.5.5	TLSv1.2	1249	Server Hello, Certificate, Server Key Exchange, Server Hello Done
      35	16.916226	192.168.5.5	192.168.2.5	TLSv1.2	234	Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
      36	16.919961	192.168.2.5	192.168.5.5	TLSv1.2	159	Change Cipher Spec, Encrypted Handshake Message
      37	16.923422	192.168.5.5	192.168.2.5	TLSv1.2	185	Application Data
      38	16.924200	192.168.2.5	192.168.5.5	TLSv1.2	393	Application Data
      39	16.929901	192.168.5.5	192.168.2.5	TLSv1.2	777	Application Data
      40	16.932183	192.168.2.5	192.168.5.5	TLSv1.2	185	Application Data
      41	16.935580	192.168.5.5	192.168.2.5	TLSv1.2	249	Application Data
      42	16.936476	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      43	16.939726	192.168.5.5	192.168.2.5	TLSv1.2	585	Application Data
      44	16.941487	192.168.2.5	192.168.5.5	TLSv1.2	249	Application Data
      45	16.943882	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      46	16.944126	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      47	16.944382	192.168.2.5	192.168.5.5	TCP	52	3389 → 60135 [ACK] Seq=2080 Ack=2172 Win=63340 Len=0
      48	16.944554	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      49	16.947219	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      50	16.947641	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      51	16.950432	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      52	16.950855	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      53	16.954016	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      54	16.954427	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      55	16.957187	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      56	16.957614	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      57	16.960235	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      58	16.960641	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      59	16.963642	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      60	16.964067	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      61	16.967184	192.168.5.5	192.168.2.5	TLSv1.2	137	Application Data
      62	16.967611	192.168.2.5	192.168.5.5	TLSv1.2	137	Application Data
      63	16.972713	192.168.5.5	192.168.2.5	TCP	52	60135 → 3389 [ACK] Seq=2767 Ack=2760 Win=1049856 Len=0
      64	16.974487	192.168.5.5	192.168.2.5	TLSv1.2	777	Application Data
      65	16.977958	192.168.2.5	192.168.5.5	TLSv1.2	153	Application Data
      66	16.978010	192.168.2.5	192.168.5.5	TLSv1.2	153	Application Data
      67	16.978343	192.168.2.5	192.168.5.5	TCP	1512	3389 → 60135 [ACK] Seq=2962 Ack=3492 Win=63515 Len=1460 [TCP segment of a reassembled PDU]
      68	16.978467	192.168.2.5	192.168.5.5	TCP	1512	3389 → 60135 [ACK] Seq=4422 Ack=3492 Win=63515 Len=1460 [TCP segment of a reassembled PDU]
      69	16.978580	192.168.2.5	192.168.5.5	TLSv1.2	1233	Application Data
      70	16.980656	192.168.5.5	192.168.2.5	TCP	52	60135 → 3389 [ACK] Seq=3492 Ack=2962 Win=1049856 Len=0
      71	16.980820	192.168.5.5	192.168.2.5	TLSv1.2	153	Application Data
      72	16.980958	192.168.5.5	192.168.2.5	TCP	64	[TCP Dup ACK 70#1] 60135 → 3389 [ACK] Seq=3593 Ack=2962 Win=1049856 Len=0 SLE=5882 SRE=7063
      73	17.000701	192.168.2.5	192.168.5.5	TCP	52	3389 → 60135 [ACK] Seq=7063 Ack=3593 Win=63414 Len=0
      74	17.032165	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      75	17.078965	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      76	17.172551	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      77	17.344165	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      78	17.671773	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      79	18.326986	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      80	19.621829	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      81	22.180181	192.168.2.5	192.168.5.5	TCP	1512	[TCP Retransmission] 3389 → 60135 [ACK] Seq=2962 Ack=3593 Win=63414 Len=1460
      82	27.319493	192.168.2.5	192.168.5.5	TCP	52	3389 → 60135 [RST, ACK, CWR] Seq=4422 Ack=3593 Win=0 Len=0
      83	27.321508	192.168.5.5	192.168.2.5	TCP	64	[TCP Dup ACK 70#2] 60135 → 3389 [ACK] Seq=3593 Ack=2962 Win=1049856 Len=0 SLE=5882 SRE=7063
      84	27.321668	192.168.2.5	192.168.5.5	TCP	52	3389 → 60135 [RST] Seq=2962 Win=0 Len=0
      
      

      Can someone help me out?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post

      Products

      • Platform Overview
      • TNSR
      • pfSense Plus
      • Appliances

      Services

      • Training
      • Professional Services

      Support

      • Subscription Plans
      • Contact Support
      • Product Lifecycle
      • Documentation

      News

      • Media Coverage
      • Press
      • Events

      Resources

      • Blog
      • FAQ
      • Find a Partner
      • Resource Library
      • Security Information

      Company

      • About Us
      • Careers
      • Partners
      • Contact Us
      • Legal
      Our Mission

      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

      Subscribe to our Newsletter

      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

      © 2021 Rubicon Communications, LLC | Privacy Policy