Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tunnel up, can ping FW, and can configure through https, but no traffic routed

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steqve
      last edited by

      Hello guys,

      I've been using pfSense for some years now but only used PPTP as VPN. Now I'm trying to use pfSense and Shew VPN together.

      I have searched the forum for a similar problem but havn't found one.

      The problem is that no data is routed from the mobile client to internal IP:s. Well, this is a common problem here…

      But I can ping the FW, i can browse to the FW and configure it. I can ping the client from the FW so the link is really up and running.

      I have double and triple checked the settings in pfSense and Shrew and they are the same.

      There is a "pass all" rule for IPsec just as for PPTP (which works).

      What could be the reason for the traffic not beeing routed? It seems like the IPsec->LAN rule is not working, but I cannot see why.

      IP-setup of client in Shrew: 172.16.111.22/16

      When tunnel is up, the route in windows looks like this:

      172.16.0.0      255.255.0.0    172.16.111.22  172.16.111.22      1
      172.16.111.22  255.255.255.255        127.0.0.1      127.0.0.1      30
      172.16.255.255  255.255.255.255    172.16.111.22  172.16.111.22      30

      IPsec log:

      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.0.0/16[0] 172.16.111.22/32[0] proto=any dir=out"
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in"
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=2760772392(0xa48e0b28)
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=47611494(0x2d67e66)
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: XX[0]<=>YY[0]
      Apr 8 12:49:01 racoon: INFO: generated policy, deleting it.
      Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established XX[500]-YY[4849] spi:2eddb914b17bf772:34953d56716b0602
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: DPD
      Apr 8 12:49:01 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: RFC 3947
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Apr 8 12:49:01 racoon: INFO: begin Aggressive mode.
      Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation

      As I have heard, the two errors are not the issue. Correct?

      And status:

      Source  Destination  Protocol  SPI  Enc. alg.  Auth. alg. 
      aa bb ESP a48e0b28 3des-cbc hmac-sha1
      bb bb ESP 02d67e66 3des-cbc hmac-sha1

      ip-rule for IPsec:

      Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

                • IPSEC passthruu

      Ping FW: 172.16.0.1 works ok!
      Ping 172.16.111.22 from FW works ok!
      Ping any other IP from client = no response

      Best regards,

      Stefan Johansson

      1 Reply Last reply Reply Quote 0
      • S
        steqve
        last edited by

        No ideas?

        Should I have any other rule than the one for IPSec?

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          The subnets which you are using overlap. That may be part of the problem.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • S
            steqve
            last edited by

            I have now changed the LAN network to 172.16.0.0/19 which has the subnet 255.255.224.0 and the mobile client is set to use IP 172.16.200.22 wchich means that the client is not within the /19 subnet. Still the same error.

            1 Reply Last reply Reply Quote 0
            • S
              steqve
              last edited by

              changed mobile warrior to use 192.168 network and now it works fine.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.