Strange IPSec site 2 site problem. SOLVED



  • Here is my problem i have tried to solve for a long time now.

    Site A - has Pfsense 2 rc3
    Site B - Draytek 2820N

    My IPsec tunnel do come up and i can ping hosts in site b from site a
    I can NOT ping from site b to site a.
    I have set the all allow rule under IPSEC tab for rules and i have enable login on it.

    When check the firewall log i do see the incoming icmp request to the host on site a from site b through the IPSEC tunnel.
    I have also added rule to log all outgoing traffic from the host in site a that i am trying to ping from site b but can not see that the host in site a are sending any ICMP traffic back.   ???

    So go anyone have a good hint for where i can start to look to fix this?



  • capture traffic while pinging from site b to site a



  • Thanks will do it first thing tomorrow and take out the microscope and fine comb the packets.

    I have been thinking on this on my way home and wonder if it could be routing????

    Guess the capture tomorrow will show…

    Thanks for the tip Metu69salemi



  • HUmmm, this did not make me smarter.. When i did a packet capture on the IPsec on site a i did get this:

    08:58:56.508572 (authentic,confidential): SPI 0x08638ad6: IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 1542, length 40
    08:59:02.036283 (authentic,confidential): SPI 0x08638ad6: IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 1798, length 40
    08:59:07.563574 (authentic,confidential): SPI 0x08638ad6: IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 2054, length 40
    08:59:13.091118 (authentic,confidential): SPI 0x08638ad6: IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 2310, length 40
    08:59:18.618934 (authentic,confidential): SPI 0x08638ad6: IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 2566, length 40



  • Have now setup a copy of this site to site IPSec VPN on pfsense box at site a to site c(running pfsense 2.0 rc3) and i have the same problem. 
    So i think that the problem have to be in the box at site a.

    Any one agree on this??

    Here is the IPsec packet capture from box at site a when trying to ping from site c:

    09:23:11.613510 (authentic,confidential): SPI 0x0d33a7eb: IP 10.100.10.1 > 10.0.10.253: ICMP echo request, id 2315, seq 186, length 64
    09:23:12.628688 (authentic,confidential): SPI 0x0d33a7eb: IP 10.100.10.1 > 10.0.10.253: ICMP echo request, id 2315, seq 187, length 64
    09:23:13.643724 (authentic,confidential): SPI 0x0d33a7eb: IP 10.100.10.1 > 10.0.10.253: ICMP echo request, id 2315, seq 188, length 64
    09:23:14.659120 (authentic,confidential): SPI 0x0d33a7eb: IP 10.100.10.1 > 10.0.10.253: ICMP echo request, id 2315, seq 189, length 64
    09:23:15.675180 (authentic,confidential): SPI 0x0d33a7eb: IP 10.100.10.1 > 10.0.10.253: ICMP echo request, id 2315, seq 190, length 64



  • And when i do a packet capture on the LAN interface on site a i get this:

    09:36:33.738847 IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 49926, length 40
    09:36:39.266650 IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 50182, length 40
    09:36:44.811789 IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 50438, length 40
    09:36:50.322029 IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 50694, length 40
    09:36:55.850848 IP 10.0.0.6 > 10.0.10.253: ICMP echo request, id 512, seq 50950, length 40

    So it looks like it should work but it just does NOT!  ???

    When i opened the capture file in wireshark i did see that the ICMP packets has incorrect check sum in the header, it is set to 0x0000 and should be in one case 0xc4c9

    Not sure if this has anything to do with my problem.

    Any help would be appreciated.  ;D



  • New strange turn off events.

    I found that i can from site B ping site A's lan ip and from site C ping site A's lan ip ???  ???

    This makes less and less sense to me.  :-[



  • Oki i have solved it and IT was NOT IPsec problem.

    IT was all down to that i HAD NOT set a GW on my access point that i was using to ping test.

    I am now going to go an kick my self a bit, but anyway i have hardened my IPsec skills  :P  ;D


Locked