Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel stopped working and I can't figure out why

    Scheduled Pinned Locked Moved
    IPsec
    3
    4
    317
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 2
      24fun
      last edited by

      I have IPSEC tunnels between multiple pfsense firwalls, and all worked fine until a few days ago one tunnel stopped working. It is really couriour, I cannot access Site A from site B and vice versa but it is no problem to reach A from C and B from C and I also can reach C from both sites A and B.

      The tunnels are als set up in the same matter, here are a few details, maybe someone sees something I overlook:

      Here is the status of site A, there are no packets out

      34ee6b1a-81ac-43ab-bfee-21787ca4307b-image.png

      Here is the status of site B, ** there are no packets in and out**

      39efbe9a-d87e-47c7-b9ab-f9cc3d0cfc84-image.png

      Here is the IPSEC log for site A, there seems to be traffic in both directions isn't?

      cebfa1ac-e87a-41a6-a80f-57fbbd5e7270-image.png

      Here is the IPSEC log for site B, there is also traffic:

      7b63cc4d-8742-4e47-86ca-d0fb11e1c70d-image.png

      So my first question: when there are packets sent in both directions, why the counters are 0 ?

      Traced packet trace at site A

      80d0d6c4-b6b2-4c25-ac16-e935445986e6-image.png

      Packet trace at site B - only UDP no ESP .... why?

      5add280a-ad2e-46cb-92bb-157c5494011f-image.png

      If someone can give any hint this would greatly appreciated, if someone needs more information, please write. Thank you so much!

      T 1 Reply Last reply Reply Quote 0
      • T
        Topogigio @24fun
        last edited by

        @24fun how are you routing tables and tracerts?

        I'm experiencing a lot lot lot of crazy problem with ipsec + routing after upgrade to 2.7

        1 Reply Last reply Reply Quote 0
        • 2
          24fun
          last edited by 24fun

          In the meantime i figured out, that setting the "NAT Traversal" in Site B from "Auto" to "Forced" in phase 1 settings, solved my problem. Curious, all other tunnels are running with this "auto" setting. ????

          1 Reply Last reply Reply Quote 0
          • planedropP
            planedrop
            last edited by planedrop

            I've had no issues with IPSec on pf Plus at least, don't have a 2.7 system to test right now though, but that NAT setting normally shouldn't have to be adjusted.

            Just out of curiosity, are you seeing any MAC auth errors?

            I had an issue a while back, still not sure if it's solved or not (made a post with no responses) and haven't been able to test, but for some reason I was getting a ton of auth issues after updating pfSense to a newer version when it comes to IPSec, turned out that for some reason the option of using "My IP Address" wasn't properly authenticating and I had to manually specify the IP.

            Anyway, seems like that's not related to your issue but just wanted to double check since it was something I ran across and never managed to solve.

            Edit: here is that post I made: https://forum.netgate.com/topic/176502/had-to-manually-specify-identifier-ip-address-no-nat-involved-bug

            Another edit: this does appear to have been resolved, just got it working when before it wouldn't.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post