IPsec tunnel established but no traffic - SOLVED!

louis-m · Jul 20, 2009, 8:29 PM

Hi,
i've searched through this forum for hours now and still cannot find a resolution.
basically, our ipsec's are established. we can't however, get any traffic down them.
firewall rules are in place:
1. allow all on ipsec interface
2. allow all from lan to any on lan interface.

still, no traffic passes. we have 2 x drayteks connected to this box (1.2.3-rc2) and when we ping, we see the traffic go out from the draytek with no reply from pfsense box. a ping from pfsense to the drayteks registers nothing. nothing being registered in the logs either.
any ideas?
cheers
louis

fastcon68 · Jul 20, 2009, 12:41 AM

I run into this before. I had the rules setup but had only tcp selected and that prevented my traffic from going.

Lets start with a few questions:
1. what protocols are you running?
2. Is it TCP or IP, ICMP or other?
3. I would try creating a ICMP rule see if that will allow for you to ping the other side of the tunnel
4. check your rules and make sure that really have all traffic specified to flow point to point

This is a example of two rules that allow all traffic:

192.168.xx.0/24 * 192.168.xx.0/24 * * xxxx
ICMP 192.168.xx.0/24 * 192.168.xx.0/24 * * xxxx

I always add a ICMP rule as a first step in build the rules of my tunnels. It seems to helpful when adding rules. I also build custom rules sets that are more restrictlve.

RC

louis-m · Jul 20, 2009, 5:06 PM

hi,
i have rules in place that do any protocol, any port, any source & any destination. this is set in ipsec. i've also specified it on the lan in question so traffic can flow from that lan via the ipsec to the other lan.
still no traffic and no reply from a ping.
if i do a traceroute from the router to the remotes internal subnet, the trace goes out via the wan and not over the ipsec tunnel. it's as if the routing is wrong.

tdkaps · Jul 20, 2009, 6:55 PM

I had the exact same problem with drayteks but I got i to work. it was not a routing or firewall issue but the phase 2 proposal:

This is my working setup between Draytek 2900, 2800, 2910 and 2820
On the pfsense side under IPSec:

fill in local and remote subnets and remote gateway ip

Phase 1:
Negotiation mode: aggressive
My identifier : User FQDN -> site1@something.com
Encypion algoritm: DES
Hash: MD5
DH: 2
Lifetime: 28800
Auth method: preshared key
Preshared key: SeCretKey1234

Phase 2:
Protocol:ESP
ENc. algoritm: I selected everything but DES
Hash: SHA1 and MD5
PFS key group: off
Lifetime: 3600

Thats it on the pfsense side
You should make a firewall rule to allow traffic from the remote vpn´s
I have just made a rule to allow all protocol from any to any.

On the draytek side (this is from a 2910):
LAN to LAN - Enable, Dial out, allways on

Type: IPSec
Server IP/Host name: remote IP of pfsense router
Preshared key: SeCretKey1234

IPSec Security Method: High(ESP)- 3DES with authentication
Advanced ->
Agressive mode
Phase 1 prop: DES_MD5_G2/DES_SHA1_G2…...
Phase 2 prop: 3DES_SHA1/3DES_MD5
phase 1 time: 28800
phase 2 time: 3600
secret : Disable
Local ID: site1@something.com

TCP/IP Network settings:
My WAN IP: 0.0.0.0
Rem.G IP : 0.0.0.0
Rem. N IP: local network on pfsense (end with 0 eg. 10.10.10.0 and NOT 10.10.10.1)
Rem. M.mask: 255.255.255.0

Works every time.

I hope you can then come up with a solution to my problem posted a couple of days ago, why I can´t get
traffic from one remote site to another - surely a routing issue.

louis-m · Jul 20, 2009, 9:20 PM

thank you… thank you..... thank you....!!
it was the SHA1 hash. changed that to MD5 and everything is going. i've tried it with 3DES, G2, PFS, main, aggressive and it works as long as the hash is set to MD5. So for some reason the SHA1 doesn't work with the drayteks even though the tunnel comes up.
you've saved my sanity there. cheers. louis

eek · Mar 12, 2010, 3:06 PM

Hi, just had to register to say thanks.

I have been using. pfsense 1.2.3 on watchguard x1000 hardware and been trying to tunnel with both m0n0wall and sonicwall.
the tunnel has always come up no problem but the damn traffic didn't go through!

but changing to md5 instead of sha1 made the difference! crazy really and i have been thinking about changing from pfsense just because of this.

so thank you.