Mobile IPSec configuration not passing traffic

khetan

Hi.

I've followed the IPsec mobile configuration tutorial, and have established an IPsec tunnel between a mobile VPN site and a fixed IP site. The tunnel comes up, and I can access the pfsense end points from a host in the LAN subnet on each network, but no other hosts. There are firewall rules on the IPsec tab on both machines, allowing all traffic to flow.

So, to summarise;

fixed host : 196.35.148.67 (WAN)
                172.16.1.1 (LAN)

dynamic : PPPoE-sourced (WAN)
              192.168.10.201 (LAN)

Firewall rules (with the IPsec) tab are allow all, from all.

172.16.1.245 can connect to 192.168.10.201

192.168.10.25 can connect to 172.16.1.1

But 172.16.1.245 cannot connect to 192.168.10.25 and vice-versa. The tunnels are up, and the SPD's are correct.

Any ideas / suggestions on how to debug ?

jimp

That should work, assuming the clients have the proper gateway, subnet masks, etc, set. You may need to try to tcpdump/packet capture on the enc0 interface on both ends to see if the traffic even makes it into the tunnel, and if it does, in which direction.

You may want to drop the mobile tunnel method and instead use a traditional IPsec site-to-site tunnel but use a dyndns hostname for the PPPoE side. Just register with dyndns.org, setup that account on the PPPoE router, and then on the fixed host side add a normal IPsec tunnel and put that dyndns hostname into the box where it asks for the peer address. This has worked very well for me.

khetan

@jimp:

You may want to drop the mobile tunnel method and instead use a traditional IPsec site-to-site tunnel but use a dyndns hostname for the PPPoE side. Just register with dyndns.org, setup that account on the PPPoE router, and then on the fixed host side add a normal IPsec tunnel and put that dyndns hostname into the box where it asks for the peer address. This has worked very well for me.

Thanks for your response! Great suggestion, and the tunnel comes up. I can communicate across all protocols, and all ports, from one gateway pfsense host to the other. Problem is that I can't seem to get any communication going either from a gateway to a host behind the other gateway, or from one host to another across gateways.

I'm truly stumped :-( It also fails across a PPTP VPN, even though the same rule is set (i.e. allow everything, across all protocols). Both pfsense boxes are handing out DHCP / DNS and NAT, so not sure what the issue is.

jimp

In that case you might check other common routing issues:

• Ensure the pfSense host is the default gateway for internal machines
• Ensure that both sides are using unique, non-overlapping subnets
• Ensure that client PCs have proper subnet masks set
• Ensure there are no client-level firewalls preventing traffic from outside their subnet.

You may need to try packet captures on several different legs of the tunnel (LAN on each end, the enc0 interface on each end) to see if the traffic is hitting pfSense, if it's making it into the tunnel, coming out the other end, and getting passed on to the clients