Comcast DOCSIS 3.0 service Upgrade 50X10 Service IPSEC Fails



  • Last Thursday I upgraded my Comcast service to Comcast DOCSIS 3.0 service 50 down 10 Upload.
    Since doing so my IPSec VPN is no longer working between me and my client.  Both my client and I are using pfSense 1.2.3 system.
    While the Comcast tech was here I changed the WAN interface of the pfSense on my end to DHCP temporary so that I could access to LAN interface of the of the DOCSIS Cable Modem and change the IP address of the modem to the address of my old cable modem.  During this process I received a message from pfSense stating it was updating filters.  I didn’t think much of it.  I logged into the DOCSIS and updated the LAN interface IP address, to the IP address of my old modem before the upgrade.

    Next I changed the WAN interface of my pfSense back to Static Address it use to be and everything appeared to be working fine.  My business class service and my  5 static IP address appeared to be working fine.

    However my VPN IPSec will not route.  Even thought the connection appears to show connected in IP Sec status.

    System logs show:
    Feb 13 20:31:23 racoon: [SideA]: INFO: ISAKMP-SA deleted 12.62.23.52[500]-74.232.4.23[500] spi:8163f2c57410a44c:c8430c016c8395f0
    Feb 13 20:31:22 racoon: [SideA]: INFO: ISAKMP-SA expired 12.62.23.52[500]-74.232.4.23[500] spi:8163f2c57410a44c:c8430c016c8395f0
    Feb 13 18:55:24 racoon: [SideA]: INFO: IPsec-SA established: ESP 12.62.23.52[0]->74.232.4.23[0] spi=213529795(0xcba34c3)
    Feb 13 18:55:24 racoon: [SideA]: INFO: IPsec-SA established: ESP 74.232.4.23[0]->12.62.23.52[0] spi=94617965(0x5a3c16d)
    Feb 13 18:55:24 racoon: [SideA]: INFO: initiate new phase 2 negotiation: 12.62.23.52[0]<=>74.232.4.23[0]
    Feb 13 18:55:24 racoon: [SideA]: INFO: IPsec-SA expired: ESP 12.62.23.52[0]->74.232.4.23[0] spi=92457386(0x582c9aa)
    Feb 13 12:31:23 racoon: [SideA]: INFO: IPsec-SA established: ESP 12.62.23.52[0]->74.232.4.23[0] spi=92457386(0x582c9aa)
    Feb 13 12:31:23 racoon: [SideA]: INFO: IPsec-SA established: ESP 74.232.4.23[0]->12.62.23.52[0] spi=146805243(0x8c011fb)
    Feb 13 12:31:23 racoon: [SideA]: INFO: initiate new phase 2 negotiation: 12.62.23.52[500]<=>74.232.4.23[500]
    Feb 13 12:31:22 racoon: [SideA]: INFO: ISAKMP-SA established 12.62.23.52[500]-74.232.4.23[500] spi:8163f2c57410a44c:c8430c016c8395f0

    I’ve went through the diagnoses and cannot ping anything from one side to the other side cannot send any traffic from one side to the other.
    I have even restored a previous backup configuration from back in last September when I known it to be working and that didn’t help.
    I have checked and rechecked all rules and allow statements.
    I don’t believe it is the configuration as it was working fine prior to the upgrade and the status shows established.
    I don’t believe it is Comcast blocking port 500 traffic or it wouldn’t even establish.
    I’m at a lost at what to check next.
    Any suggestions would greatly appreciated.
    This upgrade has been a greatly downgrade so far.
    Going from the 12X2 service to the 50X10 service has been a real pain in the but.
    Thank you.
    Randy



  • I'm a big fan of IPsec site-site but as a work around to your problem have you thought about trying OpenVPN site-site?

    Roy…



  • I don't seem to have any problems on comcast with docsis 3, recently upgraded and my ipsec tunnels work.  If the sessions are established then it should be a rule issue.  Can you ping from the firewall on the vpn interface to the vpn interface on the other side?



  • No I can not do any pinging or telneting.  However I don't see a IPSec Interface only a LAN  / WAN interface.

    I've setup logging of the connections in rules and see that it is a "pass" in the firewall rules.

    I've tried other ports like telnet and others as well and they "pass" as well but no conectivity.

    Still waiting for a call back from level 2 support from Comcast Business class support.

    I think there doing somethign blocking the traffic.    But if they are why would the connnectiong show established.

    I've looked at the open VPN suggestion as an alterntive.   Looks a little over my head to setup.   Not familair with this time of Site to Site connectivity.



  • the OpenVPN Site-Site using Shared Key is easy to setup and very reliable and robust!  if you decide to give it a try and need help, just post in the OpenVPN forum and I'm sure you will not have any trouble getting help.

    Roy…

    How-to: http://doc.pfsense.org/index.php/OpenVPN_Site_To_Site



  • This isssue has been solved.  In the old router with Comcast I was doing double nating.  Having  a DMZ zone in the middle between their router and my pfSense.

    Finally after level 2 Support called me back from Comcast DOCSIS 3.0 router does not support the double Natting.

    Removed the DMZ zone in the middle and got true public IP address on teh WAN interface of pfSense and set bridge mode on the DOCSIS 3.0 Modem with Comcast and everything is happy happy now.

    Moral of the story don't turn on NAT with comcast put thieir router in Bridge mode by during off NAT, DHCP and DMZ Zone.


Log in to reply