Ipsec and 1.2.3RC3

Sylhouette

Hello all

I am using PFSense as my firewall, and use version 1.2 and now 1.2.3 Rc3
On all locations, accepted my main office i have PFsense 1.2.3RC3 running.
On my main office i have 1.2

I have a ipsec tunnel to all (4) sites from my 1.2 to the 1.2.3RC3 sites.

Now i upadted the Firewall with version 1.2 to 1.2.3 RC3

The tunnel get connected, and i can ping, but i can not use cvsup.
It makes a connection, but stops at the data part.
ALso mysql traffic is not running.

On my firewall in one of the locations i see the following in the log

Nov 5 16:46:33 	pf: 000600 rule 170/0(match): block in on enc0: (tos 0x0, ttl 63, id 1768, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.22.5999 > 192.168.5.10.27617: F, cksum 0xb78c (correct), 0:0(0) ack 1 win 8326 <nop,nop,timestamp 1547352036="" 3034913895="">Nov 5 16:46:49 	pf: 15\. 411500 rule 170/0(match): block in on enc0: (tos 0x0, ttl 63, id 5672, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.22.5999 > 192.168.5.10.46198: F, cksum 0xaa84 (correct), 0:0(0) ack 1 win 8326 <nop,nop,timestamp 7024512="" 3035306115="">Nov 5 16:46:49 	pf: 000396 rule 170/0(match): block in on enc0: (tos 0x0, ttl 63, id 1294, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.22.5999 > 192.168.5.10.63936: F, cksum 0x763f (correct), 0:0(0) ack 1 win 8326 <nop,nop,timestamp 1530954024="" 3035134735="">Nov 5 16:46:49 	pf: 000564 rule 170/0(match): block in on enc0: (tos 0x0, ttl 63, id 57455, offset 0, flags [DF], proto TCP (6), length 52) 192.168.1.22.5999 > 192.168.5.10.27617: F, cksum 0x7ac4 (correct), 0:0(0) ack 1 win 8326 <nop,nop,timestamp 1547367596="" 3034913895=""></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp></nop,nop,timestamp> 

I have looked on the forum in several topics, but can not find a solution.
I use DPD on both sides with a value of 30

The strange thing is a can browse a samba server accros the tunnel and look at the intranet site (apache) behind the tunnel.
Samba and apache are on the same machine as the csup server.

If i go back to 1.2 all is working fine again.
What can it be?

regards,
Johan

ISCGDave

I am having a similar issue. I had 1.2.3 RC1 and an IPSec tunnel between 2 devices running just fine through the firewall. After upgrading to RC3 the tunnel connects but I cannot pass traffic. I am not seeing anything in the Pfsense logs and unfortunately I had to move the devices outside the fw and cannot do any additional testing.  :o

ISCGDave

I'd like to add that I am not running NAT

covex

I've seen this but not after upgrade. I exported ipsec setting from one router, change them a bit and import them into another. Same versions of pfSense. It says tunnel is established, ping goes OK but can't ssh or ftp to the host.
Fixed by re-entering all tunnels.

correction. ping doesn't go through but it says tunnel is established.

Sylhouette

Thanks Covex.
I used to backup my configuration file, and restore it.
Now i installed pfsense nanobsd and configured it by hand, just like the 1.2 version.
Now it all works.

Thanks again