Tunnel up, can ping FW, and can configure through https, but no traffic routed
-
Hello guys,
I've been using pfSense for some years now but only used PPTP as VPN. Now I'm trying to use pfSense and Shew VPN together.
I have searched the forum for a similar problem but havn't found one.
The problem is that no data is routed from the mobile client to internal IP:s. Well, this is a common problem here…
But I can ping the FW, i can browse to the FW and configure it. I can ping the client from the FW so the link is really up and running.
I have double and triple checked the settings in pfSense and Shrew and they are the same.
There is a "pass all" rule for IPsec just as for PPTP (which works).
What could be the reason for the traffic not beeing routed? It seems like the IPsec->LAN rule is not working, but I cannot see why.
IP-setup of client in Shrew: 172.16.111.22/16
When tunnel is up, the route in windows looks like this:
172.16.0.0 255.255.0.0 172.16.111.22 172.16.111.22 1
172.16.111.22 255.255.255.255 127.0.0.1 127.0.0.1 30
172.16.255.255 255.255.255.255 172.16.111.22 172.16.111.22 30IPsec log:
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.0.0/16[0] 172.16.111.22/32[0] proto=any dir=out"
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in"
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=2760772392(0xa48e0b28)
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=47611494(0x2d67e66)
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in
Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: XX[0]<=>YY[0]
Apr 8 12:49:01 racoon: INFO: generated policy, deleting it.
Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established XX[500]-YY[4849] spi:2eddb914b17bf772:34953d56716b0602
Apr 8 12:49:01 racoon: INFO: received Vendor ID: DPD
Apr 8 12:49:01 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
Apr 8 12:49:01 racoon: INFO: received Vendor ID: RFC 3947
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Apr 8 12:49:01 racoon: INFO: begin Aggressive mode.
Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiationAs I have heard, the two errors are not the issue. Correct?
And status:
Source Destination Protocol SPI Enc. alg. Auth. alg.
aa bb ESP a48e0b28 3des-cbc hmac-sha1
bb bb ESP 02d67e66 3des-cbc hmac-sha1ip-rule for IPsec:
Proto Source Port Destination Port Gateway Schedule Description
-
-
-
-
-
- IPSEC passthruu
-
-
-
-
Ping FW: 172.16.0.1 works ok!
Ping 172.16.111.22 from FW works ok!
Ping any other IP from client = no responseBest regards,
Stefan Johansson
-
-
No ideas?
Should I have any other rule than the one for IPSec?
-
The subnets which you are using overlap. That may be part of the problem.
-
I have now changed the LAN network to 172.16.0.0/19 which has the subnet 255.255.224.0 and the mobile client is set to use IP 172.16.200.22 wchich means that the client is not within the /19 subnet. Still the same error.
-
changed mobile warrior to use 192.168 network and now it works fine.
