100% Loss on ESP Packet



  • Dear PfSense Community,

    I am new to PfSense and trying to solve this problem since yesterday morning. I hope, experienced users can give me a hand on this…

    Briefly, the problem is the re-reouted ESP packages from a site-to-site VPN tunnel in front of PFSENSE drops silently.

    Let me give you some detailed information;

    I have a PfSense Box for internal network, and a Zyxel Adsl Router with VPN capabilities for internet connection.

    I have a VPN tunnel between these two networks;

    NETWORK A: 172.19.19.0/24 (EXTERNAL NETWORK)

    NETWORK B: 10.53.1.0/24 (INTERNAL NETWORK)

    The Ip address of PfSense LAN IF is, 10.53.1.2
    The Ip address of Zyxel Router is 10.53.1.10
    They are connected to the same switch, and also are in the same subset (10.53.1.0/24)

    I'll use the other nic's for Guest Network and for an additional Wan Connection.

    First of all, when I directly use the adsl modem, I can connect to Network A from Network B and was using this tunnel like that for the last 6 months. However, when I activate PfSense and ping Network B (For example 172.19.19.20) I can't get any replies back.

    The Zyxel Router is set as the default gateway on PfSense (Also tried adding a Static Route)

    By looking to the logs of Zyxel Adsl Router,
    I saw that the Remote Gateway(The Secure Gateway for Network A, 172.19.19.0/24) replies back an ESP package,
    Adsl Routers forwards it to PfSense machine 10.53.1.2, however the packet is not forwarded to the originating machine. (I also tried to traceroute/ping from PfSense Machine but never got a reply back)

    Because I see that the package is forwarded to PFSense by the Adsl Router, I started Package Capture and looked for that packages.

    The result of a traceroute command is below;
    14:00:30.208368 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0xd), length 156
    14:00:34.060737 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0xe), length 156
    14:00:38.063290 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0xf), length 156
    14:00:42.059966 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0x10), length 124
    14:00:46.063423 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0x11), length 124
    14:00:50.069793 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0x12), length 124
    14:00:54.064815 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0x13), length 124
    14:00:58.066699 IP 212.x.x.178 > 10.53.1.2: ESP(spi=0xd00d0f67,seq=0x14), length 124
    and son on...

    Btw. There are no logs in system logs > firewall.
    I also set an "any" rule on LAN IF for testing, but still not works.

    Any help will be appreciated

    Thanks in advance,

    UPDATE

    Today, while checking the states table I saw the lines below;

    After a remote desktop connection try-out to 172.19.19.51
    tcp 172.19.19.51:3389 <- 10.53.1.20:49556 CLOSED:SYN_SENT
    tcp 10.53.1.20:49556 -> 172.19.19.51:3389 SYN_SENT:CLOSED
    esp 10.53.1.2 <- 212.x.x.178 NO_TRAFFIC:SINGLE
    (212.x.x.178 is the remote gateway's IP)

    Traceroute attemtp to 172.19.19.51
    icmp 172.19.19.51:1 <- 10.53.1.20 0:0
    icmp 10.53.1.20:1 -> 172.19.19.51 0:0
    esp 10.53.1.2 <- 212.183.15.178 NO_TRAFFIC:SINGLE



  • Some Additions;

    I am using PFSense 2.0RC1



  • I know you said there's nothing in the firewall logs, but you have explicitly allow the ping packets through on the wan interface with a firewall rule.


Locked