Connected successfully to a Sonicwall TZ170 but…

billm

@cmb:

@sullrich:

I'm still curious why I never need to do this.  I connect to any machine across the pfSense tunnel and connect to RDP, etc.

Why is it different in this case?

That's one I've never figured out.  :D  I've also successfully run RDP and about everything else over VPN tunnels using m0n0wall and pfsense.  Client side group policy processing is the only issue I can easily replicate, because it sends a 2000 byte ping to determine link speed for GPO processing purposes.  Because this never gets a reply, the machine aborts group policy processing.  You can disable this pretty stupid means of link speed testing via group policy (though it's kinda hard to apply a fix through group policy to machines that can't apply group policies ;) ) or a registry change.

But it's easy to see and replicate the problem.  Do a "ping -l 1400 10.x.x.x" to something across the tunnel, and it'll work.  Increase it to 1470 or something like that, and it won't.  You should be able to ping our servers at BGN with any size packet you want (it'll frag, so only if you allow frags out your LAN).  The same won't work over VPN once you get over 1460 or so (though I've also seen oddities where it worked up into the 1460's before the packets started disappearing, which is another oddity).

Works for me?

ping -s 1600 192.168.177.254

PING 192.168.177.254 (192.168.177.254): 1600 data bytes
1608 bytes from 192.168.177.254: icmp_seq=0 ttl=63 time=61.553 ms
1608 bytes from 192.168.177.254: icmp_seq=1 ttl=63 time=31.591 ms
1608 bytes from 192.168.177.254: icmp_seq=2 ttl=63 time=33.823 ms

–Bill

lsf

CMB you are correct about assuming that you should be able to send 1499 (1500 actually) while the DF bit is set. Most likely you have run some internet tuning software or somthing that has been playing with some TCP settings. Because you should indeed be able to ping -f -s 1492 host.to.ping (should become 1500 bytes when you add the 8 byte overhead) so you should receive a 1500byte ping reply.
Sidenote: IIRC there was some PMTU discovery fix on FBSD not long ago. (last week or this week).

HaloGray

I went over to my linux box and pinged a host on the lan and then vpn.

$ ping -s 1492 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 1492(1520) bytes of data.
1500 bytes from 192.168.0.3: icmp_seq=1 ttl=128 time=6.54 ms
1500 bytes from 192.168.0.3: icmp_seq=2 ttl=128 time=6.10 ms

LAN connection works.

$ ping -s 1492 10.50.1.1
PING 10.50.1.1 (10.50.1.1) 1492(1520) bytes of data.

–- 10.50.1.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1998ms

VPN does not.  The MTU on my pfSense WAN connection is actually set at 1472, and pinging over the VPN from here succeeds at that level... so I'm confused.  Any thoughts?

docjay

HaloGray,  – You said that you successfully connected PfSense to a tZ170.. I would like to know how you did it.  I 've been trying all day and I can only get the 1st proposal to negotiate & when it comes to the 2nd proposal, pfsense says that it failed to get the sa info.. I'm using 3DES, MD5 - Main mode with a liftime of 3600 for both proposals on each end of the tunnel & a shared secret.  Also, I have PFS turned off on both ends.  It sorta looks like the sonicwall might be sending the SA incorrectly.. in the logs below its stating that its loading the IPSec SA and doesn't do anything else with it.  How is your sonicwall configured or do you have control of that end of the tunnel too like me?  I am running PfSense 1.0.1 as of right now.  I tried the latest snapshot and it wouldn't allow me to open any ports even though I could create the rules...firewall would just not let anything through, so I went back to 1.0.1

This wasn't an issue with monowall as the tunnel opened up the 1st time I configured it...I sorta thought it would be the same with pfsense... WRONG

Any light that you or anyone else can shine on this problem would be very helpful!!  Thanks!

here is the log

PFSENSE Log:

Jan 27 19:15:44 racoon: INFO: respond new phase 2 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:15:35 racoon: ERROR: failed to pre-process packet.
Jan 27 19:15:35 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:35 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:35 racoon: INFO: respond new phase 2 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:15:31 racoon: ERROR: failed to pre-process packet.
Jan 27 19:15:31 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:31 racoon: ERROR: failed to get sainfo.
Jan 27 19:15:31 racoon: INFO: respond new phase 2 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:15:30 racoon: INFO: ISAKMP-SA established my public IP[500]-remote endpoint IP[500] spi:298954413c2a7e57:bc05551c9144678a
Jan 27 19:15:30 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Jan 27 19:15:30 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jan 27 19:15:30 racoon: INFO: begin Identity Protection mode.
Jan 27 19:15:30 racoon: INFO: respond new phase 1 negotiation: my public IP[500]<=>Sonicwall public IP[500]
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 172.25.47.0/24[0] 192.168.168.0/32[0] proto=any dir=out
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 172.25.47.1/32[0] 172.25.47.0/24[0] proto=any dir=out
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 192.168.168.0/32[0] 172.25.47.0/24[0] proto=any dir=in
Jan 27 19:14:20 racoon: ERROR: such policy already exists. anyway replace it: 172.25.47.0/24[0] 172.25.47.1/32[0] proto=any dir=in
Jan 27 19:14:20 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 27 19:14:20 racoon: INFO: 172.25.47.1[500] used as isakmp port (fd=20)
Jan 27 19:14:20 racoon: INFO: fe80::208:c7ff:fe45:b765%fxp0[500] used as isakmp port (fd=19)
Jan 27 19:14:20 racoon: INFO: fe80::208:c7ff:fe49:3a42%fxp1[500] used as isakmp port (fd=18)
Jan 27 19:14:20 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 27 19:14:20 racoon: INFO: 70.189.100.15[500] used as isakmp port (fd=17)
Jan 27 19:14:20 racoon: INFO: fe80::208:c7ff:feda:7856%fxp2[500] used as isakmp port (fd=16)
Jan 27 19:14:20 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
Jan 27 19:14:20 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=15)

SONICWALL LOG:

26 01/27/2007 19:15:44.368 Loading IPSec SA (Message ID = 0xf675449b, Local SPI = 0x79e8fb1f, Remote SPI = 0)
27 01/27/2007 19:15:35.352 Loading IPSec SA (Message ID = 0xf675449b, Local SPI = 0x79e8fb1f, Remote SPI = 0)
28 01/27/2007 19:15:30.912 RECEIVED<<< ISAKMP OAK INFO (InitCookie 0x298954413c2a7e57, MsgID: 0x99082F31) *(HASH, NOTIFY:INITIAL_CONTACT) my public IP, 500 (admin) 216.23.14.18, 500
29 01/27/2007 19:15:30.912 SENDING>>>> ISAKMP OAK QM (InitCookie 0x298954413c2a7e57, MsgID: 0xF675449B) *(HASH, SA, NON, ID, ID) Sonicwall public IP, 500 my public IP, 500
30 01/27/2007 19:15:30.912 IKE Initiator: Start Quick Mode (Phase 2). Sonicwall public IP, 500 my public IP, 500
31 01/27/2007 19:15:30.912 IKE Initiator: Main Mode complete (Phase 1) Sonicwall public IP, 500 my public IP, 500 3DES MD5 Group 2 lifeSeconds=3600
32 01/27/2007 19:15:30.912 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) *(ID, HASH) my public IP, 500 (admin) Sonicwall public IP, 500
33 01/27/2007 19:15:30.832 SENDING>>>> ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) *(ID, HASH) Sonicwall public IP, 500 my public IP, 500
34 01/27/2007 19:15:30.736 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (KE, NON) my public IP, 500 (admin) Sonicwall public IP, 500
35 01/27/2007 19:15:30.640 SENDING>>>> ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (KE, NON, VID, VID, VID) Sonicwall public IP, 500 my public IP, 500
36 01/27/2007 19:15:30.544 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal Sonicwall public IP, 500 my public IP, 500
37 01/27/2007 19:15:30.544 RECEIVED<<< ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (SA, VID) my public IP, 500 (admin) Sonicwall public IP, 500
38 01/27/2007 19:15:30.464 SENDING>>>> ISAKMP OAK MM (InitCookie 0x298954413c2a7e57, MsgID: 0x0) (SA, VID) Sonicwall public IP, 500 my public IP, 500
39 01/27/2007 19:15:30.464 IKE Initiator: Start Main Mode negotiation (Phase 1) Sonicwall public IP, 500 my public IP, 500

docjay

fixed my problem with my sonicwall tz170 & pfsense.. on the pfsense side of the tunnel, when I was entering in the remote subnet, I left the subnet class with the default of 32, when it should have been 24.  When I changed that everything worked like it should!    Imagine that..