Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd IPSeC Situation - Can't Figure It Out

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 168 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jlw52761
      last edited by

      So, I have two boxes at two different locations and for quite some time I've had an IPSeC tunnel running between the two and using VTI for Phase 2 and OSPF I have had no issues.
      Not sure when, but something changed.
      So what's going on is the P1 tunnel forms, and the P2 tunnel appears to form, but when trying to ping the VTI address of the remote server (Server2) from Server 1 fails, but pinging the VTI address of Server1 from Server2 works like a treat.
      Here's the setup that I have. Please keep in mind, this has been running for about 2 years reliably, so not sure what changed unless something on one of the ISPs has changed, but can't figure it out. Neither ISP is CGNAT, and other IPSeC tunnels from Server1 to other servers work, even in the same site as Server2. And from Server2 to others work, it's just something specific between Server1 and Server2.

      Server1
      P1
      Proposal: CHACHA20-POLY1305 - SHA256 - DH16

      P2
      Mode: Routed (VTI)
      Local Network Type: Network
      Local Network Address: 10.8.222.9/30
      Remote Network Type: Address
      Remote Network Address: 10.8.222.10
      Protocol: ESP
      Algorithms (All Auto): AES128-GCM, AES192-GCM,AES256-GCM, CHACHA20-POLY1305
      PFS Key Group: 16

      VTI Interface (ipsec3): Enabled
      MTU: 1400
      MSS: 1360

      Server2
      P1
      Proposal: CHACHA20-POLY1305 - SHA256 - DH16

      P2
      Mode: Routed (VTI)
      Local Network Type: Network
      Local Network Address: 10.8.222.10/30
      Remote Network Type: Address
      Remote Network Address: 10.8.222.9
      Protocol: ESP
      Algorithms (All Auto): AES128-GCM, AES192-GCM,AES256-GCM, CHACHA20-POLY1305
      PFS Key Group: 16

      VTI Interface (ipsec1): Enabled
      MTU: 1400
      MSS: 1360

      So, Server2 gateway monitor for Server1's VTI (10.8.222.9) pings just fine, about 17ms on average with 0% loss. Server1 gateway monitor for Server2's VTI (10.8.222.10) 100% loss.
      On Server1, looking at the routing table, I see 10.8.222.10 via ipsec3 with the UH flag, so all good there.

      So, the routing is there. ON both firewalls, the firewall rules for the respective VTI interfaces have a IPv4+6* Allow All rule right at the top to rule out the rules being stupid.

      When I look at the IPSeC logs, I see a lot of "sending packet:" and "receiving packet:" to and from the remote firewalls WAN IP, so to me that says it's popping packets back and forth.

      I am really at a loss on this one. Anyone have thoughts on what I missed?

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.