Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Active Phase 2s do not match traffic flowing across tunnel

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 187 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      omber
      last edited by omber

      tl;dr: When I ping a host across two IPSEC tunnels, Active Phase 2's do not match Source IP but State in States Table does.

      I have three "locations" connected via IPSEC:

      AWS VPC <---> Office <---> Vendor

      • AWS VPC: 172.31.0.0/16
        • Uses AWS VPN Tunnel (probably same IPSEC daemon that pfSense uses, no access to logs)
        • Route: 172.16.0.0/16 via Office IPSEC Tunnel
        • Route: 31.0.10.11/32 via Office IPSEC Tunnel
      • Office: 172.16.0.0/16
        • pfSense
        • Route: 172.31.0.0/16 via AWS IPSEC Tunnel
        • Route 41.0.10.11/32 via Vendor IPSEC Tunnel
          • Vendor IPSEC Tunnel NATs our requests to 192.168.1.1/32
      • Vendor: 41.0.10.11/32
        • Cisco ASA
        • Route: 192.168.1.1/32 via Office IPSEC Tunnel

      I have two hosts:

      • Office: 172.16.10.41
      • AWS: 172.31.29.196

      If I ping from Office 172.16.10.41 to 41.0.10.11:

      • I see correct Phase 2 come up on Office pfSense from 172.16.0.0/16 to 41.0.10.11/32
      • I see appropriate state under Diagnostics > States

      If I ping from AWS 172.31.29.196 to 172.16.10.41:

      • I see correct Phase 2 come up on Office pfSense from 172.31.0.0/16 to 172.16.0.0/16
      • I see appropriate state under Diagnostics > States

      If I ping from AWS 172.31.29.196 to 41.0.10.11 though it gets weird:

      • Ping succeeds
      • Correct state is present in States table
      • Incorrect Phase 2 is shown as active: 172.16.0.0/16 (Office not AWS) to 41.0.11.10/32
      • I can see Traffic counters increasing on this Phase 2 entry
      • AWS Phase 2 172.31.0.0/16 to 41.0.11.10/32 does not activate
      • If I stop Ping Traffic counters stop increasing
      • In IPSEC log I can see CHILD_SA being created for Office Subnet via NAT to Vendor IP which does not match states:
        • 15[IKE] <con4000|2624> CHILD_SA con4001{35063} established with SPIs cbdd9379_i abc05d77_o and TS 192.168.1.1/32|172.16.0.0/16 === 41.0.11.10/32|/0

      Arguably, it works so I could ignore it, but the behavior does not make sense. 172.16.0.0/16 does not overlap with 172.31.0.0/16. So why is it doing this?

      pfSense is 2.4.4-RELEASE-p1 on QEMU VM

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.