Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec tunnel established but no traffic - SOLVED!

    IPsec
    4
    6
    26.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      louis-m
      last edited by

      Hi,
      i've searched through this forum for hours now and still cannot find a resolution.
      basically, our ipsec's are established. we can't however, get any traffic down them.
      firewall rules are in place:
      1. allow all on ipsec interface
      2. allow all from lan to any on lan interface.

      still, no traffic passes. we have 2 x drayteks connected to this box (1.2.3-rc2) and when we ping, we see the traffic go out from the draytek with no reply from pfsense box. a ping from pfsense to the drayteks registers nothing. nothing being registered in the logs either.
      any ideas?
      cheers
      louis

      1 Reply Last reply Reply Quote 0
      • F
        fastcon68
        last edited by

        I run into this before.  I had the rules setup but had only tcp selected and that prevented my traffic from going.

        Lets start with a few questions: 
        1.  what protocols are you running?
        2.  Is it TCP or IP, ICMP or other? 
        3.  I would try creating a ICMP rule see if that will allow for you to ping the other side of the tunnel
        4.  check your rules and make sure that really have all traffic specified to flow point to point

        This is a example of two rules that allow all traffic:

        • 192.168.xx.0/24 * 192.168.xx.0/24 * *   xxxx 
          ICMP 192.168.xx.0/24 * 192.168.xx.0/24 * *   xxxx

        I always add a ICMP rule as a first step in build the rules of my tunnels.  It seems to helpful when adding rules.  I also build custom rules sets that are more restrictlve.

        RC

        1 Reply Last reply Reply Quote 0
        • L
          louis-m
          last edited by

          hi,
          i have rules in place that do any protocol, any port, any source & any destination. this is set in ipsec. i've also specified it on the lan in question so traffic can flow from that lan via the ipsec to the other lan.
          still no traffic and no reply from a ping.
          if i do a traceroute from the router to the remotes internal subnet, the trace goes out via the wan and not over the ipsec tunnel. it's as if the routing is wrong.

          1 Reply Last reply Reply Quote 0
          • T
            tdkaps
            last edited by

            I had the exact same problem with drayteks but I got i to work. it was not a routing or firewall issue but the phase 2 proposal:

            This is my working setup between Draytek 2900, 2800, 2910 and 2820
            On the pfsense side under IPSec:

            fill in local and remote subnets and remote gateway ip

            Phase 1:
            Negotiation mode: aggressive
            My identifier : User FQDN -> site1@something.com
            Encypion algoritm: DES
            Hash: MD5
            DH: 2
            Lifetime: 28800
            Auth method: preshared key
            Preshared key: SeCretKey1234

            Phase 2:
            Protocol:ESP
            ENc. algoritm: I selected everything but DES
            Hash: SHA1 and MD5
            PFS key group: off
            Lifetime: 3600

            Thats it on the pfsense side
            You should make a firewall rule to allow traffic from the remote vpn´s
            I have just made a rule to allow all protocol from any to any.

            On the draytek side (this is from a 2910):
            LAN to LAN - Enable, Dial out, allways on

            Type: IPSec
            Server IP/Host name: remote IP of pfsense router
            Preshared key: SeCretKey1234

            IPSec Security Method: High(ESP)- 3DES with authentication
            Advanced ->
            Agressive mode
            Phase 1 prop: DES_MD5_G2/DES_SHA1_G2…...
            Phase 2 prop: 3DES_SHA1/3DES_MD5
            phase 1 time: 28800
            phase 2 time: 3600
            secret : Disable
            Local ID: site1@something.com

            TCP/IP Network settings:
            My WAN IP: 0.0.0.0
            Rem.G IP : 0.0.0.0
            Rem. N IP: local network on pfsense (end with 0 eg. 10.10.10.0 and NOT 10.10.10.1)
            Rem. M.mask: 255.255.255.0

            Works every time.

            I hope you can then come up with a solution to my problem posted a couple of days ago, why I can´t get
            traffic from one remote site to another - surely a routing issue.

            1 Reply Last reply Reply Quote 0
            • L
              louis-m
              last edited by

              thank you… thank you..... thank you....!!
              it was the SHA1 hash. changed that to MD5 and everything is going. i've tried it with 3DES, G2, PFS, main, aggressive and it works as long as the hash is set to MD5. So for some reason the SHA1 doesn't work with the drayteks even though the tunnel comes up.
              you've saved my sanity there. cheers. louis

              1 Reply Last reply Reply Quote 0
              • E
                eek
                last edited by

                Hi, just had to register to say thanks.

                I have been using. pfsense 1.2.3 on watchguard x1000 hardware and been trying to tunnel with both m0n0wall and sonicwall.
                the tunnel has always come up no problem but the damn traffic didn't go through!

                but changing to md5 instead of sha1 made the difference! crazy really and i have been thinking about changing from pfsense just because of this.

                so thank you.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.