IPSec VPN not routing outgoing traffic over IPsec tunnel



  • I am running v1.2.3 and have created a VPN link between a client site and their hosting provider.  The VPN link is up and traffic initiated on the remote (hosting provider) side of the link works perfectly.  However, no traffic initiated from the client side reaches the remote site.  There is no entry in the firewall log to indicate the firewall is blocking the traffic and there are ALLOW ALL rules created in the IPSec firewall config.

    Here is a summary of the settings at our end:

    Interface: WAN
    DPD interval:      60 seconds
    Local subnet: 192.168.10.0/24
    Remote subnet: 10.0.26.0/27
    Remote gateway: <removed>Description:
    
    Phase 1 proposal (Authentication)
    Negotiation mode: Agressive
    My identifier: My IP address
    Encryption algorithm: 3DES
    Hash algorithm: MD5
    DH key group: 2
    Lifetime: 28800 seconds
    Authentication method: PSK
    Pre-Shared Key: (As supplied by provider)
    
    Phase 2 proposal (SA/Key Exchange)
    Protocol: ESP
    Encryption algorithms: 3DES (Only option enabled)
    Hash algorithms: MD5 (Only option enabled)
    PFS key group: 2
    Lifetime: (none)</removed> 
    

    I have rebuilt the VPN config from scratch, rebooted the router countless times and nothing has changed the situation.  What steps can I take to troubleshoot this further?



  • Hello,

    You can make packet captures with tcpdump command in CLI:

    • on LAN interface: to be sure packets are coming on the LAN interface.

    • on IPSec interface: to see if packets are encapsulated in the IPSec tunnel.

    • on the WAN (or OPTx) interface: to check if the packet is not sent to another interface.

    Hope this helps.



  • @psylo:

    Hello,

    You can make packet captures with tcpdump command in CLI:

    • on LAN interface: to be sure packets are coming on the LAN interface.

    • on IPSec interface: to see if packets are encapsulated in the IPSec tunnel.

    • on the WAN (or OPTx) interface: to check if the packet is not sent to another interface.

    Hope this helps.

    Thanks.

    I rebuilt the router with 2.0 RC1 on the off chance that I messed something up.  The problem remained.

    Armed with the traffic logs, I spoke to our service provider.  I was able to confirm that the data was definitely leaving our end.  We eventually found that one remote IP returned a PING, but another didn't.  During the testing, after a week out the problem existing, the fault suddenly disappeared.  They swear that they did not make any change to the config at their end.



  • I thought the VPN was working, but it turns out not to be.

    I can't seem to find the right MTU setting to resolve the issue.  No matter what I set the PPPoE WAN interface's MTU to, we still end up with fragmentation problems.  In 2.0 RC1, the webgui setting for MTU seems to be ignored and it was not until I edited line 1414 of /etc/inc/interfaces.inc was I able to force the pppoe0 interface to have an MTU lower than 1492.

    I have set it to 1350, but the enc0 interface still has an MTU of 1536.  How do I change that?

    Am I overlooking some tick box or value that I should be seeing?

    BTW, when I am connected from home to our PPTP VPN (hosted on a Windows server behind the pfSense firewall), and route through the PPTP tunnel to reach the servers at the other end of the IPSec tunnel, everything works fine.  The MTU for the MPD5 PPPoE ADSL connection on my custom-built FreeBSD/PF setup is 1480.



  • I have now tested it by configuring the internal PCs to VPN into the internal network and routing all traffic through it.  Without ripping the pfSense firewall out and rebuilding it as a manual FreeBSD setup, I don't know how else to fix the problem.


Log in to reply