IPSec Tunnel Static-Static no routing between sites



  • Hi All,

    I have been carefully reading all posts (and googling) and I hope I have not missed the ONE answer to my problem. I think this issue is recurrent but I have not seen any answer that would solve it.

    I am using 1.0.1.snapshot 2007-03.27 on both pfsenses. I have set a site-site IPsec tunnel (static IP on both) and it is up and running. The issue is I have no routing from pfsense A to pfsense B or vice-versa.

    In the routing table there is no Remote LAN address shown. Should I create a static routing? Is it a version bug? which gateway should I chose? and Interface?

    Regards,
    nbviegas



  • IPsec doesn't add static routes. Under Diagnostics -> IPsec, do you have anything in the SAD?



  • Hi cmb,

    Yes, currently I have the 2 entries:

    pfsense A
    Source                Destination        Protocol  SPI      Enc. alg. Auth. alg.
    10.0.0.1              <pfsense b="" pub="" ip="">ESP      x        12        hmac-md5 
    <pfsense b="" pub="" ip="">10.0.0.1              ESP      x        12        hmac-md5

    pfsense B
    Source                Destination        Protocol SPI      Enc. alg. Auth. alg.
    10.10.10.5            <pfsense a="" pub="" ip="">    ESP      x    12        hmac-md5 
    <pfsense a="" pub="" ip="">10.10.10.5              ESP      x    12        hmac-md5

    I don't know if it has any relevance to the issue both pfsenses are connected to ADSL router via ethernet and 10.0.0.1 and 10.10.10.5 are the pfsense ip addess of the interface connected to the ADSL router.

    Thanks in advance,
    nbviegas</pfsense></pfsense></pfsense></pfsense>



  • what are the subnets and subnet masks of the LAN and WAN IP's on both sides?



  • Hi cmb,

    Thanks for your help. I have the following network architecture:

    LAN                            <          Pfsense A        >                <        ADSL          >
    10.20.235.0/24 –-- < 10.20.235.253/24-10.10.10.5/24> -- <10.10.10.1/24-Pub Static IP>....

    <          ADSL        >              <      pfsense B          >                  LAN
    ..... <pub 24="" static="" ip-10.0.0.138="">--<10.0.0.1/24-192.168.16.253/24>----- 192.168.16.0/24

    It is quite simple.
    Cheers,
    nbviegas</pub>



  • Hi All,

    Another Information that can be helpfull:

    1. Under System Logs -> IPSec I can see :

    May 28 19:28:06 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.10.10.5[0]->Public IP Address[0] spi=212041162(0xca37dca)
    May 28 19:28:06 racoon: INFO: IPsec-SA established: ESP/Tunnel Public Ip Address[0]->10.10.10.5[0] spi=76543909(0x48ff7a5)

    2. Under System Logs -> Firewall ( as I setup the IPSEC Rule to log traffic) I can see the Pinging traffic:

    May 28 19:36:13 ENC0 10.20.235.253 192.168.16.199 ICMP
      May 28 19:36:11 ENC0 10.20.235.253 192.168.16.199 ICMP

    Thanks in advance,
    nbviegas



  • All looks fine, subnets aren't overlapping, traffic is passing through, so it looks like it's making it to the other side.

    At this point, I'm about 99% certain your pfsense config is fine. Time to start looking for network issues.

    Is the default gateway of every system involved pfsense?

    Make sure your subnet masks are /24 everywhere. If you're trying to use 10.x IP machines with a /8 subnet mask you're going to have problems.

    Last, it looks like your WAN IP's are private? Is there any way you can try with public IP's on your pfsense WAN interfaces? It could be that whatever device is doing the NAT is causing problems, though I wouldn't think you would get SA's if that were the case.



  • Hi cmb,

    I have double-checked all netmasks and all shows up as /24  :D

    My issue is basically routing then. Wierdly, when I go to "Diagnostics: Routing Tables" I have nothing saying that 192.168.16.0/24 (on pfsense A) should go throuh interface ENC0 (IPSec to pfsense B). As per the default gw of pfsense I have - default 10.0.0.138 UGS 0 682017 1500 fxp0  - which is the IP Address of the ADSL Router.

    Is there any issue with this setup?

    What do you mean by " Is the default gateway of every system involved pfsense?" . From what I get the existing DHCP server gives the default gw as the pfsense LAN IP address.

    Cheers,
    nbviegas



  • @nbviegas:

    My issue is basically routing then. Wierdly, when I go to "Diagnostics: Routing Tables" I have nothing saying that 192.168.16.0/24 (on pfsense A) should go throuh interface ENC0 (IPSec to pfsense B). As per the default gw of pfsense I have - default 10.0.0.138 UGS 0 682017 1500 fxp0  - which is the IP Address of the ADSL Router.

    Is there any issue with this setup?

    It's not routing. As I said before, there is no routing involved with IPsec, as far as the routing table is concerned. It's the SPD that encapsulates matching traffic and sends it to the destination.

    @nbviegas:

    What do you mean by " Is the default gateway of every system involved pfsense?" . From what I get the existing DHCP server gives the default gw as the pfsense LAN IP address.

    If you're using pfsense for DHCP for everything and don't have anything statically addressed then you don't have to worry about what the gateways are set to.

    Since the traffic is getting logged at the source end, what about at the destination end if you enable logging there?


Log in to reply