Access Opt1 network from different subnets

Eugene · May 23, 2009, 6:43 PM

Ohhh.. I forgot that you have two tunnels… it's impossible to say whether esp packet belongs to the first tunnel or to the second.
What about setkey commands output?

reynolwi · May 23, 2009, 6:52 PM

pfsense1 - 10.25.18.0

setkey -D

74.192.197.63 74.197.181.236
esp mode=any spi=60471947(0x039aba8b) reqid=16391(0x00004007)
E: 3des-cbc 6e0b248a c6e085cc 60d2c785 89fa6591 6e7f1285 e4fbb0d8
A: hmac-sha1 9923d945 c4b2010d 69f84b9e 4b749689 757d22db
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:48:57 2009
diff: 19(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=27536 refcnt=1
74.192.197.63 74.197.181.236
esp mode=any spi=233187485(0x0de6289d) reqid=16391(0x00004007)
E: 3des-cbc 2edfdf2c 64a2d7c3 bdb43c01 2216f7ed b190d2c6 67ca09b4
A: hmac-sha1 cfc0db0d b2f053d5 794d1f09 16cbd88b 405515e0
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:48:57 2009
diff: 24(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:38 2009 hard: 0(s) soft: 0(s)
current: 112(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=8 pid=27536 refcnt=2
74.192.197.63 74.197.181.236
esp mode=any spi=221953858(0x0d3abf42) reqid=16393(0x00004009)
E: 3des-cbc af3484af c3fb45be 1351f357 c6c45f15 f79e1505 01aa72e3
A: hmac-sha1 6a24a389 87a9de65 9b055c45 215aacfe 9a1dbc7c
seq=0x000001d3 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:48:57 2009
diff: 50(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:55 2009 hard: 0(s) soft: 0(s)
current: 129416(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 467 hard: 0 soft: 0
sadb_seq=7 pid=27536 refcnt=2
74.197.181.236 74.192.197.63
esp mode=tunnel spi=201338668(0x0c002f2c) reqid=16394(0x0000400a)
E: 3des-cbc f3890148 ec257e0d ceead7f4 57d4855a 2f86672d 82eb2ebd
A: hmac-sha1 5b7b5b75 25e7dc9e 340d5e19 c29c8500 658f5fa8
seq=0x00000191 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:48:57 2009
diff: 50(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:55 2009 hard: 0(s) soft: 0(s)
current: 94969(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 401 hard: 0 soft: 0
sadb_seq=6 pid=27536 refcnt=1
74.197.181.236 74.192.197.63
esp mode=tunnel spi=41187146(0x0274774a) reqid=16392(0x00004008)
E: 3des-cbc 493c8031 7c7027cf 34100863 715a81ef 709dcd21 d9591056
A: hmac-sha1 ef30bdca affca9de 10f0e2b1 441e3427 a4d83664
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:48:57 2009
diff: 19(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=5 pid=27536 refcnt=1
74.197.181.236 74.192.197.63
esp mode=tunnel spi=30718151(0x01d4b8c7) reqid=16392(0x00004008)
E: 3des-cbc 127ffe1a 2b3b6f72 fc1ecebc cb3d9d30 acc1402d 91828761
A: hmac-sha1 d45da5dd 66447eeb 0ac952f5 a59c0b7a eddd710b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:48:57 2009
diff: 24(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=4 pid=27536 refcnt=1
74.192.197.63 75.9.221.112
esp mode=any spi=3234821474(0xc0cf7562) reqid=16387(0x00004003)
E: 3des-cbc a2293efa 07a9fef0 8719a944 25688c60 284a672b 67645902
A: hmac-sha1 813dab38 2e3fa9bb 451d4ebc 2d4a5883 1a34789b
seq=0x0000a643 replay=4 flags=0x00000000 state=mature
created: May 23 10:28:26 2009 current: May 23 13:48:57 2009
diff: 12031(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:51 2009 hard: 0(s) soft: 0(s)
current: 13826576(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 42563 hard: 0 soft: 0
sadb_seq=3 pid=27536 refcnt=2
75.9.221.112 74.192.197.63
esp mode=tunnel spi=115498621(0x06e25e7d) reqid=16388(0x00004004)
E: 3des-cbc 572de107 9721aa59 b4d5c757 669538cf 64e20d38 8442723a
A: hmac-sha1 c737669f a260ba62 f8643bca 20ef0e24 d5740cf1
seq=0x00009377 replay=4 flags=0x00000000 state=mature
created: May 23 10:28:26 2009 current: May 23 13:48:57 2009
diff: 12031(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:51 2009 hard: 0(s) soft: 0(s)
current: 6794020(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 37751 hard: 0 soft: 0
sadb_seq=2 pid=27536 refcnt=1
74.192.197.63 74.192.216.72
esp mode=any spi=89425175(0x05548517) reqid=16389(0x00004005)
E: 3des-cbc 352c7456 1735fd46 849d4307 b35dc1e5 ebc47391 ca397dba
A: hmac-sha1 ee096c0a 5ffa6af0 f1e23349 4584ab9a bfc03cea
seq=0x0000a205 replay=4 flags=0x00000000 state=mature
created: May 23 10:25:59 2009 current: May 23 13:48:57 2009
diff: 12178(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:50 2009 hard: 0(s) soft: 0(s)
current: 13297208(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 41477 hard: 0 soft: 0
sadb_seq=1 pid=27536 refcnt=2
74.192.216.72 74.192.197.63
esp mode=tunnel spi=62317237(0x03b6e2b5) reqid=16390(0x00004006)
E: 3des-cbc 1df63d33 a1acdccb 8d717591 8af05130 b8d7065e fa9aee41
A: hmac-sha1 862c82d7 6b06e932 f3eadd64 ca5592a7 580e6275
seq=0x00008db4 replay=4 flags=0x00000000 state=mature
created: May 23 10:25:59 2009 current: May 23 13:48:57 2009
diff: 12178(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:50 2009 hard: 0(s) soft: 0(s)
current: 6393009(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 36276 hard: 0 soft: 0
sadb_seq=0 pid=27536 refcnt=1

setkey -DP

10.25.18.0/24[any] 10.25.18.254[any] any
in none
spid=1 seq=9 pid=27643
refcnt=1
10.25.20.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/75.9.221.112-74.192.197.63/unique#16388
spid=6 seq=8 pid=27643
refcnt=1
10.25.21.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.192.216.72-74.192.197.63/unique#16390
spid=8 seq=7 pid=27643
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16392
spid=10 seq=6 pid=27643
refcnt=1
10.25.19.0/24[any] 10.25.18.0/24[any] any
in ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16394
spid=12 seq=5 pid=27643
refcnt=1
10.25.18.254[any] 10.25.18.0/24[any] any
out none
spid=2 seq=4 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.20.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-75.9.221.112/unique#16387
spid=5 seq=3 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.21.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.192.216.72/unique#16389
spid=7 seq=2 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16391
spid=9 seq=1 pid=27643
refcnt=1
10.25.18.0/24[any] 10.25.19.0/24[any] any
out ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16393
spid=11 seq=0 pid=27643
refcnt=1
– -- -- -- --
pfsense2 - 10.25.19.0 & 10.25.22.0

setkey -D

74.197.181.236 74.192.197.63
esp mode=any spi=41187146(0x0274774a) reqid=16401(0x00004011)
E: 3des-cbc 493c8031 7c7027cf 34100863 715a81ef 709dcd21 d9591056
A: hmac-sha1 ef30bdca affca9de 10f0e2b1 441e3427 a4d83664
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:50:38 2009
diff: 120(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=9 pid=26490 refcnt=1
74.192.197.63 74.197.181.236
esp mode=tunnel spi=60471947(0x039aba8b) reqid=16402(0x00004012)
E: 3des-cbc 6e0b248a c6e085cc 60d2c785 89fa6591 6e7f1285 e4fbb0d8
A: hmac-sha1 9923d945 c4b2010d 69f84b9e 4b749689 757d22db
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:38 2009 current: May 23 13:50:38 2009
diff: 120(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=8 pid=26490 refcnt=1
74.197.181.236 74.192.197.63
esp mode=any spi=30718151(0x01d4b8c7) reqid=16399(0x0000400f)
E: 3des-cbc 127ffe1a 2b3b6f72 fc1ecebc cb3d9d30 acc1402d 91828761
A: hmac-sha1 d45da5dd 66447eeb 0ac952f5 a59c0b7a eddd710b
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:50:38 2009
diff: 125(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=7 pid=26490 refcnt=1
74.192.197.63 74.197.181.236
esp mode=tunnel spi=233187485(0x0de6289d) reqid=16400(0x00004010)
E: 3des-cbc 2edfdf2c 64a2d7c3 bdb43c01 2216f7ed b190d2c6 67ca09b4
A: hmac-sha1 cfc0db0d b2f053d5 794d1f09 16cbd88b 405515e0
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:33 2009 current: May 23 13:50:38 2009
diff: 125(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:48:38 2009 hard: 0(s) soft: 0(s)
current: 80(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=6 pid=26490 refcnt=1
74.197.181.236 75.9.221.112
esp mode=any spi=3379262788(0xc96b7544) reqid=16397(0x0000400d)
E: 3des-cbc 04e34d8b 33d1dfaf 144ebfbe fe894aec 2a9176d8 dca69d10
A: hmac-sha1 c2cb6e07 c69f0e0d 38384cac 9bbc80a5 e45689ef
seq=0x00000e90 replay=4 flags=0x00000000 state=mature
created: May 23 09:48:48 2009 current: May 23 13:50:38 2009
diff: 14510(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:49:43 2009 hard: 0(s) soft: 0(s)
current: 848464(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3728 hard: 0 soft: 0
sadb_seq=5 pid=26490 refcnt=2
75.9.221.112 74.197.181.236
esp mode=tunnel spi=127481662(0x0799373e) reqid=16398(0x0000400e)
E: 3des-cbc 44ac5d5b 858c76b0 5d9ac25e b3b0256c 1a2b6551 7283f422
A: hmac-sha1 d14f3d7e f9616234 1ecd270e 067a89dd 514aa3a8
seq=0x0000113c replay=4 flags=0x00000000 state=mature
created: May 23 09:48:48 2009 current: May 23 13:50:38 2009
diff: 14510(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:49:43 2009 hard: 0(s) soft: 0(s)
current: 1065056(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4412 hard: 0 soft: 0
sadb_seq=4 pid=26490 refcnt=1
74.197.181.236 74.192.197.63
esp mode=any spi=201338668(0x0c002f2c) reqid=16391(0x00004007)
E: 3des-cbc f3890148 ec257e0d ceead7f4 57d4855a 2f86672d 82eb2ebd
A: hmac-sha1 5b7b5b75 25e7dc9e 340d5e19 c29c8500 658f5fa8
seq=0x000004e6 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:50:39 2009
diff: 152(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 276064(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1254 hard: 0 soft: 0
sadb_seq=3 pid=26490 refcnt=2
74.192.197.63 74.197.181.236
esp mode=tunnel spi=221953858(0x0d3abf42) reqid=16392(0x00004008)
E: 3des-cbc af3484af c3fb45be 1351f357 c6c45f15 f79e1505 01aa72e3
A: hmac-sha1 6a24a389 87a9de65 9b055c45 215aacfe 9a1dbc7c
seq=0x000005b4 replay=4 flags=0x00000000 state=mature
created: May 23 13:48:07 2009 current: May 23 13:50:39 2009
diff: 152(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 369919(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1460 hard: 0 soft: 0
sadb_seq=2 pid=26490 refcnt=1
74.197.181.236 74.192.216.72
esp mode=any spi=134029274(0x07fd1fda) reqid=16395(0x0000400b)
E: 3des-cbc c082eca1 8e191556 7bb56e70 7ef2672b 47ee316d 94086086
A: hmac-sha1 4346247e 220ffd8c d193751f 6315b637 7a8d5672
seq=0x00001025 replay=4 flags=0x00000000 state=mature
created: May 23 10:16:13 2009 current: May 23 13:50:39 2009
diff: 12866(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 1000728(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4133 hard: 0 soft: 0
sadb_seq=1 pid=26490 refcnt=2
74.192.216.72 74.197.181.236
esp mode=tunnel spi=118067582(0x0709917e) reqid=16396(0x0000400c)
E: 3des-cbc 6975ebe4 202a4a7b 6afe7045 273f20d3 ff0af353 7498bd43
A: hmac-sha1 34bcc40e 0727fe3d c567b6e1 67f3e3fa 4c7210c8
seq=0x000011e1 replay=4 flags=0x00000000 state=mature
created: May 23 10:16:13 2009 current: May 23 13:50:39 2009
diff: 12866(s) hard: 28800(s) soft: 23040(s)
last: May 23 13:50:38 2009 hard: 0(s) soft: 0(s)
current: 1118602(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4577 hard: 0 soft: 0
sadb_seq=0 pid=26490 refcnt=1

setkey -DP

10.25.19.0/24[any] 10.25.19.254[any] any
in none
spid=7 seq=11 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16392
spid=10 seq=10 pid=26869
refcnt=1
10.25.21.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/74.192.216.72-74.197.181.236/unique#16396
spid=14 seq=9 pid=26869
refcnt=1
10.25.20.0/24[any] 10.25.19.0/24[any] any
in ipsec
esp/tunnel/75.9.221.112-74.197.181.236/unique#16398
spid=16 seq=8 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16400
spid=18 seq=7 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16402
spid=20 seq=6 pid=26869
refcnt=1
10.25.19.254[any] 10.25.19.0/24[any] any
out none
spid=8 seq=5 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16391
spid=9 seq=4 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.21.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.216.72/unique#16395
spid=13 seq=3 pid=26869
refcnt=1
10.25.19.0/24[any] 10.25.20.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-75.9.221.112/unique#16397
spid=15 seq=2 pid=26869
refcnt=1
10.25.22.0[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16399
spid=17 seq=1 pid=26869
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16401
spid=19 seq=0 pid=26869
refcnt=1

I think that is everything. It shows the tunnels are all connected but I can not ping 10.25.22.254 from the 10.25.18.0 subnet. I can ping every other subnet but that one

Eugene · May 23, 2009, 7:14 PM

That is weird, why would you have this tunnel?
@reynolwi:

pfsense1 - 10.25.18.0

setkey -DP

10.25.18.0/24[any] 10.25.18.254[any] any
in none
spid=1 seq=9 pid=27643
refcnt=1
10.25.18.254[any] 10.25.18.0/24[any] any
out none
spid=2 seq=4 pid=27643
refcnt=1

And this is weird, again - what is it?
@reynolwi:

– -- -- -- --
pfsense2 - 10.25.19.0 & 10.25.22.0

setkey -DP

10.25.19.0/24[any] 10.25.19.254[any] any
in none
spid=7 seq=11 pid=26869
refcnt=1
10.25.19.254[any] 10.25.19.0/24[any] any
out none
spid=8 seq=5 pid=26869
refcnt=1

But your problem with pings may be here:
@reynolwi:

10.25.18.0/24[any] 10.25.22.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16400
spid=18 seq=7 pid=26869
refcnt=1
10.25.18.0/24[any] 10.25.22.0/24[any] any
in ipsec
esp/tunnel/74.192.197.63-74.197.181.236/unique#16402
spid=20 seq=6 pid=26869
refcnt=1

10.25.22.0[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16399
spid=17 seq=1 pid=26869
refcnt=1
10.25.22.0/24[any] 10.25.18.0/24[any] any
out ipsec
esp/tunnel/74.197.181.236-74.192.197.63/unique#16401
spid=19 seq=0 pid=26869
refcnt=1

It seems at pfSense2 you have two tunnels interconnecting the same networks. The simpliest thing you can do now - restart ipsec at pfSense2.

reynolwi · May 23, 2009, 7:17 PM

I do not know why it seems to have a tunnel to itself. I do not see that in the setup. I did finally get traffic to the 10.25.22.0 subnet and now the phone traffic is traveling thru the IPSec tunnel to the 10.25.18.0 subnet to the pbx server.

I had to reboot both systems and something kicked in and now I can access the phones webgui and the phones registered with the server.