Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Site-to-Site VTI Only One Way Traffic

    Scheduled Pinned Locked Moved IPsec
    3 Posts 1 Posters 383 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • LaxarusL
      Laxarus
      last edited by

      I wanted to dtch my ovpn site-to-site with ipsec vti. But the problem was Site B is behind cgnat.

      After a good amount of research I set up the ipsec on both sites and established the connection. Both p1 and p2 are connected. Assigned interface on both sites and gave blanket allow all on the firewall on both sites.
      Site A has static IP, IPSEC set to Responder Only
      Site B behind CGNAT

      After setting this up, Site B can ping Site A with its tunnel network address 172.28.15.1, however, Site A cannot ping Site B with its tunnel network address 172.28.15.2.

      Checking the routes and pinging on Site A:

      9b357708-d327-4129-865f-628ae2bfa11a-image.png
      5a26a959-bc17-411b-9819-6140b4ac3e50-image.png

      Checking the routes and pinging on Site B:

      74f0a9da-a5cb-4049-bb47-8282a03ef145-image.png
      de2561e3-ca85-470e-ae2d-e468a6a07f27-image.png

      I am stuck here. For the remote gateway setting on site A P1, I am using the dynamic dns fqdn for site b. I suspect this might be the problem for the routes but in that case how is this connection established?
      P2 settings are identical on both sites other than swapping the remote and local addresses.

      Site B IPsec Status
      03c629c4-f113-4f31-83f7-3c1ea606d06a-image.png
      dont let the host ip address in 10.x.x.x range confuse you. This is the CGNAT WAN IP my failing ISP uses.

      Site A IPsec Status

      c9edd54b-f32f-47b3-b573-028f125c1224-image.png

      Site A Remote and Site B Host addresses do not match as expected from CGNAT.
      Anything that I can try to fix this?

      1 Reply Last reply Reply Quote 0
      • LaxarusL
        Laxarus
        last edited by Laxarus

        Further to this,
        Packet capture on VTI interface on Site A

        04:35:06.122597 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55150, length 9
04:35:06.122614 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55150, length 9
04:35:06.638856 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55151, length 9
04:35:06.638872 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55151, length 9
04:35:07.134333 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55152, length 9
04:35:07.134343 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55152, length 9
04:35:07.660849 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55153, length 9
04:35:07.660863 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55153, length 9
04:35:08.172622 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55154, length 9
04:35:08.172631 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55154, length 9
04:35:08.672632 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55155, length 9
04:35:08.672640 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55155, length 9
04:35:09.182381 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55156, length 9
04:35:09.182395 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55156, length 9
04:35:09.692395 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55157, length 9
04:35:09.692423 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55157, length 9
04:35:10.210432 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 55158, length 9
04:35:10.210453 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 55158, length 9

        Packet capture on VTI interface on Site B

        01:22:51.118490 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53734, length 9
01:22:51.478284 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53735, length 9
01:22:51.629011 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53735, length 9
01:22:51.986237 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53736, length 9
01:22:52.139262 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53736, length 9
01:22:52.518490 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53737, length 9
01:22:52.670996 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53737, length 9
01:22:53.050700 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53738, length 9
01:22:53.268614 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53738, length 9
01:22:53.555411 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53739, length 9
01:22:53.716504 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53739, length 9
01:22:54.087630 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53740, length 9
01:22:54.238652 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53740, length 9
01:22:54.619919 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53741, length 9
01:22:54.773002 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53741, length 9
01:22:55.148510 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53742, length 9
01:22:55.298507 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53742, length 9
01:22:55.680765 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53743, length 9
01:22:55.836002 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53743, length 9
01:22:56.213018 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53744, length 9
01:22:56.359121 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53744, length 9
01:22:56.715381 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53745, length 9
01:22:56.876992 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53745, length 9
01:22:57.244013 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53746, length 9
01:22:57.388502 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53746, length 9
01:22:57.746040 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53747, length 9
01:22:57.886003 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53747, length 9
01:22:58.257073 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53748, length 9
01:22:58.417002 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53748, length 9
01:22:58.787029 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53749, length 9
01:22:58.941504 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53749, length 9
01:22:59.288462 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53750, length 9
01:22:59.446999 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53750, length 9
01:22:59.819046 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53751, length 9
01:22:59.968508 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53751, length 9
01:23:00.350023 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53752, length 9
01:23:00.506907 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53752, length 9
01:23:00.862560 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53753, length 9
01:23:01.008997 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53753, length 9
01:23:01.371015 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53754, length 9
01:23:01.518502 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53754, length 9
01:23:01.891049 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53755, length 9
01:23:02.075194 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53755, length 9
01:23:02.422049 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53756, length 9
01:23:02.577009 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53756, length 9
01:23:02.953059 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53757, length 9
01:23:03.106999 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53757, length 9
01:23:03.484056 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53758, length 9
01:23:03.666087 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53758, length 9
01:23:04.015020 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53759, length 9
01:23:04.159250 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53759, length 9
01:23:04.546063 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53760, length 9
01:23:04.706519 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53760, length 9
01:23:05.075316 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53761, length 9
01:23:05.228505 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53761, length 9
01:23:05.606067 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53762, length 9
01:23:05.767005 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53762, length 9
01:23:06.138265 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53763, length 9
01:23:06.282006 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53763, length 9
01:23:06.665820 IP 172.28.15.2 > 172.28.15.1: ICMP echo request, id 7858, seq 53764, length 9
01:23:06.826509 IP 172.28.15.1 > 172.28.15.2: ICMP echo reply, id 7858, seq 53764, length 9

        States on Site A

        245072bf-90b4-474b-811f-fe1607c1b55b-image.png

        So, apparently packets are being seen by the interfaces on both sites but for some reason Site A is dropping them.

        1 Reply Last reply Reply Quote 0
        • LaxarusL
          Laxarus
          last edited by

          Okay, after a long troubleshooting session. Problem is solved. For reference, I needed to recreate the firewall rules on both sites for ipsec, reload filters and reset states. I suspect it was a weird gimmick messing up the filters.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.