Tunnel up, can ping FW, and can configure through https, but no traffic routed



  • Hello guys,

    I've been using pfSense for some years now but only used PPTP as VPN. Now I'm trying to use pfSense and Shew VPN together.

    I have searched the forum for a similar problem but havn't found one.

    The problem is that no data is routed from the mobile client to internal IP:s. Well, this is a common problem here…

    But I can ping the FW, i can browse to the FW and configure it. I can ping the client from the FW so the link is really up and running.

    I have double and triple checked the settings in pfSense and Shrew and they are the same.

    There is a "pass all" rule for IPsec just as for PPTP (which works).

    What could be the reason for the traffic not beeing routed? It seems like the IPsec->LAN rule is not working, but I cannot see why.

    IP-setup of client in Shrew: 172.16.111.22/16

    When tunnel is up, the route in windows looks like this:

    172.16.0.0      255.255.0.0    172.16.111.22  172.16.111.22      1
    172.16.111.22  255.255.255.255        127.0.0.1      127.0.0.1      30
    172.16.255.255  255.255.255.255    172.16.111.22  172.16.111.22      30

    IPsec log:

    Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.0.0/16[0] 172.16.111.22/32[0] proto=any dir=out"
    Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in"
    Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=2760772392(0xa48e0b28)
    Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=47611494(0x2d67e66)
    Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in
    Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: XX[0]<=>YY[0]
    Apr 8 12:49:01 racoon: INFO: generated policy, deleting it.
    Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established XX[500]-YY[4849] spi:2eddb914b17bf772:34953d56716b0602
    Apr 8 12:49:01 racoon: INFO: received Vendor ID: DPD
    Apr 8 12:49:01 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Apr 8 12:49:01 racoon: INFO: received Vendor ID: RFC 3947
    Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
    Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
    Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
    Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
    Apr 8 12:49:01 racoon: INFO: begin Aggressive mode.
    Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation

    As I have heard, the two errors are not the issue. Correct?

    And status:

    Source  Destination  Protocol  SPI  Enc. alg.  Auth. alg. 
    aa bb ESP a48e0b28 3des-cbc hmac-sha1
    bb bb ESP 02d67e66 3des-cbc hmac-sha1

    ip-rule for IPsec:

    Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

              • IPSEC passthruu

    Ping FW: 172.16.0.1 works ok!
    Ping 172.16.111.22 from FW works ok!
    Ping any other IP from client = no response

    Best regards,

    Stefan Johansson



  • No ideas?

    Should I have any other rule than the one for IPSec?


  • Rebel Alliance Developer Netgate

    The subnets which you are using overlap. That may be part of the problem.



  • I have now changed the LAN network to 172.16.0.0/19 which has the subnet 255.255.224.0 and the mobile client is set to use IP 172.16.200.22 wchich means that the client is not within the /19 subnet. Still the same error.



  • changed mobile warrior to use 192.168 network and now it works fine.


Log in to reply