Can't reach LAN network via ipsec

rancor

Hi.

For simplicity I used the road warrior setup as reference (http://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To)

I can get both Shrew and Greenbow client to connect to 2.0 beta 5 without any problem but I can't get any traffic to my LAN.

I got no error messages in ipsec log and nothing blocked in the firewall (don't know if 2.0 can filter ipsec yet).

Has anyone else got this to work? I have 3 NIC active. WAN, LAN and DMZ and I'm trying from Internet via WAN to LAN with the ipsec configuration.

Is there anyway of debug this? tcpdump? Any clue?

Best regards rancor

rancor

Every time I modify phase 1 I got this error message "php: /vpn_ipsec.php: Could not determine VPN endpoint for 'Min tunnel'" in system log.

I can still connect. The ipsec log says:
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: respond new phase 1 negotiation: 85.230.x.x[500]<=>78.79.x.x[500]
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: begin Aggressive mode.
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received Vendor ID: RFC 3947
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received broken Microsoft ID: FRAGMENTATION
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received Vendor ID: DPD
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: received Vendor ID: CISCO-UNITY
Feb 12 23:05:57 racoon: [78.79.x.x] INFO: Selected NAT-T version: RFC 3947
Feb 12 23:05:57 racoon: [Min tunnel]: INFO: Adding remote and local NAT-D payloads.
Feb 12 23:05:57 racoon: [78.79.x.x] INFO: Hashing 78.79.x.x[500] with algo #2
Feb 12 23:05:57 racoon: [85.230.x.x] INFO: Hashing 85.230.x.x[500] with algo #2
Feb 12 23:05:58 racoon: [85.230.x.x] INFO: Hashing 85.230.x.x[500] with algo #2
Feb 12 23:05:58 racoon: [Min tunnel]: INFO: NAT-D payload #0 verified
Feb 12 23:05:58 racoon: [78.79.x.x] INFO: Hashing 78.79.x.x[500] with algo #2
Feb 12 23:05:58 racoon: [Min tunnel]: INFO: NAT-D payload #1 verified
Feb 12 23:05:58 racoon: [Min tunnel]: INFO: NAT not detected
Feb 12 23:05:58 racoon: [Min tunnel]: INFO: ISAKMP-SA established 85.230.x.x[500]-78.79.x.x[500] spi:573fe7e563ab2367:90f383306e9cf96b
Feb 12 23:05:58 racoon: [78.79.x.x] INFO: received INITIAL-CONTACT
Feb 12 23:06:08 racoon: [Min tunnel]: INFO: respond new phase 2 negotiation: 85.230.x.x[500]<=>78.79.x.x[500]
Feb 12 23:06:08 racoon: [Min tunnel]: INFO: no policy found, try to generate the policy : 192.168.19.6/32[0] 0.0.0.0/0[0] proto=any dir=in
Feb 12 23:06:08 racoon: [Min tunnel]: INFO: purging ISAKMP-SA spi=573fe7e563ab2367:90f383306e9cf96b.
Feb 12 23:06:08 racoon: [Min tunnel]: INFO: purged IPsec-SA spi=267667009.
Feb 12 23:06:08 racoon: [Min tunnel]: INFO: purged ISAKMP-SA spi=573fe7e563ab2367:90f383306e9cf96b.
Feb 12 23:06:08 racoon: [78.79.x.x] ERROR: unknown Informational exchange received.
Feb 12 23:06:08 racoon: [78.79.x.x] ERROR: unknown Informational exchange received.
Feb 12 23:06:09 racoon: [Min tunnel]: INFO: ISAKMP-SA deleted 85.230.x.x[500]-78.79.x.x[500] spi:573fe7e563ab2367:90f383306e9cf96b
Feb 12 23:08:07 racoon: [Min tunnel]: INFO: unsupported PF_KEY message REGISTER

Vorkbaard

Hi Rancor,

I got this setup working (and yes, traffic going through it) and wrote down how I did it here: http://huijgen.com/tunnel. Troubleshooting IPSec is not what I do best but perhaps you can compare your setup to mine.

Also, check if the system on your LAN that you are trying to reach isn't blocking connections.

rancor

@Vorkbaard:

Hi Rancor,

I got this setup working (and yes, traffic going through it) and wrote down how I did it here: http://huijgen.com/tunnel. Troubleshooting IPSec is not what I do best but perhaps you can compare your setup to mine.

Also, check if the system on your LAN that you are trying to reach isn't blocking connections.

Thanks! I tried your guide but it did not do any difference. I also tried OpenVPN and that was no success :(  The client can connect and get routing and every thing. Trying from both Windows 7 and Ubuntu 10.10 with different clients but no traffic to LAN. I can't even ping LAN interface and the firewall is allowing any to any from any from both IPsec and OpenVPN and LAN has no egress filtering.

The logs shows no blocked traffic and the default block policy is logging so there should not be any problem with the firewall.

Well, I'm going to 1.2.3 to try if it's me (probably) or that my nightly build is failing (probably not). This is how ever not my first install and I have manage to get this working without any problem in the past.

// rancor

Cry Havok

Is your VPN server/firewall the default gateway for the network?

rancor

@Cry:

Is your VPN server/firewall the default gateway for the network?

Yes. I'm using it between my ADSL modem och my internal networks (LAN and DMZ) as a NAT router and now trying to enable it for VPN

Regards rancor

rancor

OK, installed 1.2.3 and I managed to get OpenVPN working at the first try. I can't test IPsec since I'm behind a NAT firewall with my 3G modem connected to my PC that I'm doing my tests from.

I will test to run a new clean installation of 2.0 beta with latest snapshot on another Soekris NET4801 to see if I can get at least OpenVPN to work. I will have to deal with IPsec later :(

// rancor

azzido

Check for ESP traffic on your WAN interface using this command (replace pppoe0 with your interface):

tcpdump -i pppoe0 -n esp

you should see something like this:

then check for traffic on LAN interface by specifying host you are trying to reach:

tcpdump -i vr0 -n host 192.168.100.254