IPsec tunnel established but no traffic - SOLVED!



  • Hi,
    i've searched through this forum for hours now and still cannot find a resolution.
    basically, our ipsec's are established. we can't however, get any traffic down them.
    firewall rules are in place:
    1. allow all on ipsec interface
    2. allow all from lan to any on lan interface.

    still, no traffic passes. we have 2 x drayteks connected to this box (1.2.3-rc2) and when we ping, we see the traffic go out from the draytek with no reply from pfsense box. a ping from pfsense to the drayteks registers nothing. nothing being registered in the logs either.
    any ideas?
    cheers
    louis



  • I run into this before.  I had the rules setup but had only tcp selected and that prevented my traffic from going.

    Lets start with a few questions: 
    1.  what protocols are you running?
    2.  Is it TCP or IP, ICMP or other? 
    3.  I would try creating a ICMP rule see if that will allow for you to ping the other side of the tunnel
    4.  check your rules and make sure that really have all traffic specified to flow point to point

    This is a example of two rules that allow all traffic:

    • 192.168.xx.0/24 * 192.168.xx.0/24 * *   xxxx 
      ICMP 192.168.xx.0/24 * 192.168.xx.0/24 * *   xxxx

    I always add a ICMP rule as a first step in build the rules of my tunnels.  It seems to helpful when adding rules.  I also build custom rules sets that are more restrictlve.

    RC



  • hi,
    i have rules in place that do any protocol, any port, any source & any destination. this is set in ipsec. i've also specified it on the lan in question so traffic can flow from that lan via the ipsec to the other lan.
    still no traffic and no reply from a ping.
    if i do a traceroute from the router to the remotes internal subnet, the trace goes out via the wan and not over the ipsec tunnel. it's as if the routing is wrong.



  • I had the exact same problem with drayteks but I got i to work. it was not a routing or firewall issue but the phase 2 proposal:

    This is my working setup between Draytek 2900, 2800, 2910 and 2820
    On the pfsense side under IPSec:

    fill in local and remote subnets and remote gateway ip

    Phase 1:
    Negotiation mode: aggressive
    My identifier : User FQDN -> site1@something.com
    Encypion algoritm: DES
    Hash: MD5
    DH: 2
    Lifetime: 28800
    Auth method: preshared key
    Preshared key: SeCretKey1234

    Phase 2:
    Protocol:ESP
    ENc. algoritm: I selected everything but DES
    Hash: SHA1 and MD5
    PFS key group: off
    Lifetime: 3600

    Thats it on the pfsense side
    You should make a firewall rule to allow traffic from the remote vpn´s
    I have just made a rule to allow all protocol from any to any.

    On the draytek side (this is from a 2910):
    LAN to LAN - Enable, Dial out, allways on

    Type: IPSec
    Server IP/Host name: remote IP of pfsense router
    Preshared key: SeCretKey1234

    IPSec Security Method: High(ESP)- 3DES with authentication
    Advanced ->
    Agressive mode
    Phase 1 prop: DES_MD5_G2/DES_SHA1_G2…...
    Phase 2 prop: 3DES_SHA1/3DES_MD5
    phase 1 time: 28800
    phase 2 time: 3600
    secret : Disable
    Local ID: site1@something.com

    TCP/IP Network settings:
    My WAN IP: 0.0.0.0
    Rem.G IP : 0.0.0.0
    Rem. N IP: local network on pfsense (end with 0 eg. 10.10.10.0 and NOT 10.10.10.1)
    Rem. M.mask: 255.255.255.0

    Works every time.

    I hope you can then come up with a solution to my problem posted a couple of days ago, why I can´t get
    traffic from one remote site to another - surely a routing issue.



  • thank you… thank you..... thank you....!!
    it was the SHA1 hash. changed that to MD5 and everything is going. i've tried it with 3DES, G2, PFS, main, aggressive and it works as long as the hash is set to MD5. So for some reason the SHA1 doesn't work with the drayteks even though the tunnel comes up.
    you've saved my sanity there. cheers. louis



  • Hi, just had to register to say thanks.

    I have been using. pfsense 1.2.3 on watchguard x1000 hardware and been trying to tunnel with both m0n0wall and sonicwall.
    the tunnel has always come up no problem but the damn traffic didn't go through!

    but changing to md5 instead of sha1 made the difference! crazy really and i have been thinking about changing from pfsense just because of this.

    so thank you.


Log in to reply