Vpn Ipsec tunnel phase 2 show 0 bytes of data
-
Hello Team,
We tried to create an ipsec tunnel for my home and workshop so that I can look into the video camera of my house from my workshop.
Earlier I was having pfsense 2.3.5 where I didn't face such issue, it's after upgrading to pfsense 2.4.5 my tunnels are showing a strange behavior.
Phase 2 entry of Ipsec vpn tunnel stats packets-out show 0 kb from home and from workstation it shows 0 kb packets-In.It's Ipsec tunnel, configured using encryption algo "AES" with hash algo of sha256 with pfs keygroup of 2(1024-bit).
Traffic does not flow from one direction to another. For example, packets_in of one side show 0 bytes where as packets_out on remote end show 0 bytes received.Please note every time when i tried to connect i used to get the same response, when i restart the Charon service traffic start to flow but that used to work only sometime.
Is there anything i can do as i am facing this issue in 2.4.5, earlier in 2.3.5 it was not coming. -
I assume you do see traffic the other way and at both ends?
Is it all traffic that fails or just the video stream? Can you ping across it for example? From either end?
Do you have firewall rules with policy routing?
Do you see states opened correctly at both ends?
Steve
-
This post is deleted! -
@stephenw10
We see the traffic from one side only on other end the traffic of other firewall is 0 byte only, a single firewall is throwing the traffic which is getting received. It looks that other firewall doesn't like to throw its packet out.
Nothing is getting access or ping, it seems like tunnels are connected but when we see phase 2 entry, traffic of one firewall is getting flow, the other firewall traffic is neither send out which in the end nor received from one side.
We do have the firewall rules and policy routing in its place, as I mentioned if restart the service of charon, it works.
Once we restart the IPsec and charon service the traffic in phase 2 tunnel start showing, we do see the traffic in firewall states. -
Ah OK you don't see any packets arriving either.
Do you have DPD enabled?
Do the SPIs match on both ends when it is not passing traffic?
Check in Status > IPSec > SADs
Steve
-
@stephenw10
DPD is enabled at both ends but we checked that SPIs do not match. -
Hard to see how DPD would be succeeding if the SPIs do not match.
But check logs. One side is clearly re-keying without deleting the old SPIs for some reason.
Steve
-
@stephenw10
We looked into the SAD entries and there were some entries with data as 0 bytes. We manually tried to delete these but these entries did not get deleted because of PHP code error. After fixing that, we were able to delete these entries manually.
Please let us know what should be the exact behavior and how it relates to our issue so hat we can look into this further.
Are these entries supposed to be deleted automatically?Thank you, looking forward for your valuable response.
-
You found a php code error in the IPSec status page? Or some backend script?
Did you open a big report? Submit a pull request?
Steve
-
@stephenw10
In future, we will submit a pull request but as of now, we are mainly focusing on fixing this issue. Can you please let us know about SAD entries' actual behavior.When we tried to delete the SAD entries from the SAD entries page it did not worked. We found a bug in delete functionality.
-
When childSAs are re-keyed a new SA is created and the old one removed. In some setups the old SA is not removed but will expire at the end of it's lifetime. That can lead to several childSAs being shown for the same connection but only the most recent should ever be carrying traffic. That is not normally an issue.
If you are seeing the most recent SAs with zero packets incoming that seems far more likely to be a problem in the route.
Steve
-
@stephenw10
Thank you for your feedback. Just want to confirm one thing that if there is an issue with route, is it possible for VPN tunnels to stay connected but sending or receiving 0 bytes of data/packets.
In our case, tunnels are being displayed as connected but no packet transfer is there. -
If dpd is enabled then the P1 will not stay up if the route between the end points is interrupted.
However if your tunnels are not using NAT-T then the P2 traffic will be ESP dircetly and it is possible for that to be blocked resulting in the tunnel establishing (over UDP port 500) but not passing traffic.
Steve
