Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Tunnel up, can ping FW, and can configure through https, but no traffic routed

    IPsec
    2
    5
    3139
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      steqve last edited by

      Hello guys,

      I've been using pfSense for some years now but only used PPTP as VPN. Now I'm trying to use pfSense and Shew VPN together.

      I have searched the forum for a similar problem but havn't found one.

      The problem is that no data is routed from the mobile client to internal IP:s. Well, this is a common problem here…

      But I can ping the FW, i can browse to the FW and configure it. I can ping the client from the FW so the link is really up and running.

      I have double and triple checked the settings in pfSense and Shrew and they are the same.

      There is a "pass all" rule for IPsec just as for PPTP (which works).

      What could be the reason for the traffic not beeing routed? It seems like the IPsec->LAN rule is not working, but I cannot see why.

      IP-setup of client in Shrew: 172.16.111.22/16

      When tunnel is up, the route in windows looks like this:

      172.16.0.0      255.255.0.0    172.16.111.22  172.16.111.22      1
      172.16.111.22  255.255.255.255        127.0.0.1      127.0.0.1      30
      172.16.255.255  255.255.255.255    172.16.111.22  172.16.111.22      30

      IPsec log:

      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.0.0/16[0] 172.16.111.22/32[0] proto=any dir=out"
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: ERROR: such policy does not already exist: "172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in"
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=2760772392(0xa48e0b28)
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: IPsec-SA established: ESP XX[0]->YY[0] spi=47611494(0x2d67e66)
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: no policy found, try to generate the policy : 172.16.111.22/32[0] 172.16.0.0/16[0] proto=any dir=in
      Apr 8 12:49:20 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 2 negotiation: XX[0]<=>YY[0]
      Apr 8 12:49:01 racoon: INFO: generated policy, deleting it.
      Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: ISAKMP-SA established XX[500]-YY[4849] spi:2eddb914b17bf772:34953d56716b0602
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: DPD
      Apr 8 12:49:01 racoon: INFO: received broken Microsoft ID: FRAGMENTATION
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: RFC 3947
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
      Apr 8 12:49:01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
      Apr 8 12:49:01 racoon: INFO: begin Aggressive mode.
      Apr 8 12:49:01 racoon: [Unknown Gateway/Dynamic]: INFO: respond new phase 1 negotiation

      As I have heard, the two errors are not the issue. Correct?

      And status:

      Source  Destination  Protocol  SPI  Enc. alg.  Auth. alg. 
      aa bb ESP a48e0b28 3des-cbc hmac-sha1
      bb bb ESP 02d67e66 3des-cbc hmac-sha1

      ip-rule for IPsec:

      Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

                • IPSEC passthruu

      Ping FW: 172.16.0.1 works ok!
      Ping 172.16.111.22 from FW works ok!
      Ping any other IP from client = no response

      Best regards,

      Stefan Johansson

      1 Reply Last reply Reply Quote 0
      • S
        steqve last edited by

        No ideas?

        Should I have any other rule than the one for IPSec?

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          The subnets which you are using overlap. That may be part of the problem.

          1 Reply Last reply Reply Quote 0
          • S
            steqve last edited by

            I have now changed the LAN network to 172.16.0.0/19 which has the subnet 255.255.224.0 and the mobile client is set to use IP 172.16.200.22 wchich means that the client is not within the /19 subnet. Still the same error.

            1 Reply Last reply Reply Quote 0
            • S
              steqve last edited by

              changed mobile warrior to use 192.168 network and now it works fine.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post

              Products

              • Platform Overview
              • TNSR
              • pfSense
              • Appliances

              Services

              • Training
              • Professional Services

              Support

              • Subscription Plans
              • Contact Support
              • Product Lifecycle
              • Documentation

              News

              • Media Coverage
              • Press
              • Events

              Resources

              • Blog
              • FAQ
              • Find a Partner
              • Resource Library
              • Security Information

              Company

              • About Us
              • Careers
              • Partners
              • Contact Us
              • Legal
              Our Mission

              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

              Subscribe to our Newsletter

              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

              © 2021 Rubicon Communications, LLC | Privacy Policy