IPSec dropped traffic, can't find explanation
-
Hey everyone,
Hoping to get some assistance on a Site-to-Site VPN issue I am facing. Definitely not an expert so please bear with me.
I have a VPN connection up, (P1 + P2 both look fine), but traffic comes across and just disappears. If I do a packet capture on the interface for the VPN, I see bidirectional communication. If I do a packet capture on the interface for IPSEC I see traffic come in but no response going back out. The intended destination is in AWS and when I do a VPC flow log I do not see the traffic making it up to the box.
My colleague on the other end of the connection mentioned the complexity of the tunnel and that it was a hairpin VPN. Reviewing what that meant made me realize I may need to force a static route as the IP they are using is public but routed over a private connection. Adding that didn't seem to change packet traffic results however.
I am looking around to find a firm reject of the traffic but am coming up short.
-
So this is an IPSec tunnel between pfSense and AWS directly? Is it using policy mode or route mode?
AWS generally prefers route mode. That would require static routes adding .
So a pcap on the IPSec interface shows traffic arriving from AWS? But no replies?
What pfSense version are you running?
Steve
-
There are two tunnels, one that runs to AWS, (working fine), and the other that is with our client. As a note we have other clients w VPNs configured which are running fine. Our clients connect to us over the individual VPNs we have with them and then we fire the requests up to AWS through our tunnel with them.
I just added additional rules to our Route tables as I could see that being an issue once the request is received in AWS. Didn't seem to help.
A packet capture in pfSense shows requests coming over the IPSEC interface attempting to speak with our box in AWS. When I run a flow log in AWS it doesn't seem like the request makes it up there. Is there another place to look in pfSense to see if it is getting rejected / dropped?
We are using 2.4.4-RELEASE (amd64). We have been in touch with sales regarding purchasing a dedicated product with the Plus version and doing a migration but that will take some time on our side.
Thanks for your help!
-
And configuration is currently done through policy mode.
-
While reviewing Diagnostics > States I looked up entries for the peer IP for this new tunnel and it seems to jive with what other clients have.
The P2 rule does not however. The entry for it identifies the interface as being lo0 which doesn't sound right. I assume I am missing some configuration which is making it choose this?
-
@ssweeney said in IPSec dropped traffic, can't find explanation:
We are using 2.4.4-RELEASE (amd64)
Umm... yeah you should upgrade! But this should still work.
If it's all policy mode IPSec you need to be sure you have the correct P2s on both tunnels.
If you are seeing traffic come in from the client but not leave to reach AWS then the P2(s) to AWS probably are not matching it.
-
Ah, interesting, that makes sense. Would there be anything that shows that issue? Just so I can try putting it in and confirming a difference is seen. I added it but so far don't see a difference.
Also, after changing the rules and resetting the connections, I noticed one of the AWS tunnels doesn't list most of the P2 rules that were there before, but it certainly seems to be up. A quick review suggests there could be a bug related to this - do you know if there is any way to correct this if it is in fact the case? (Beyond an upgrade haha)
Thanks for your help, I really appreciate the insight.
-
In Status > IPSec you should see traffic on the packet-counters for both P2s. If you don't they either don't match the traffic or your firewall rules don't.
