IPsec mobile and transport vs tunnel mode



  • Hi,
    I have a working mobile IPsec VPN on 2.0.1 using transport mode and a number of iPad/iPhones as endpoints. I can access LAN from it and LAN can get back.

    On 2.1 beta (latest for now) I can't reach from the client anything behind the pfsense box itself. Configs are identical apart from using RADIUS as user auth and tunnel mode instead of transport - which seems can't be selected any more for mobile IPsec. In states all TCP connections attempts are SYN_SENT:CLOSED. Firewall is fully open both on LAN and IPSEC interfaces.

    anyone else having similar issues?

    thanks


  • Rebel Alliance Developer Netgate

    If you see the state table entries, your firewall rules are passing the traffic in as it enters.

    Do some packet captures, see if the traffic leaves LAN. If it does, then something locally isn't returning the traffic (not the pfSense firewall's fault). Also make sure your VPN client subnet is not overlapping any other existing subnet.



  • Sniffing the tunnel (enc0) traffic seems to be one way only (IPsec network is 192.168.79.0/24, 10.13.10.0/24 is an internal unfiltered subnet routed via LAN interface)

    10:02:46.705864 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54824 > 10.13.10.12.80: Flags [s], seq 451508624, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 105133164 ecr 0,sackOK,eol], length 0
    10:02:47.777839 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54824 > 10.13.10.12.80: Flags [s], seq 451508624, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 105134164 ecr 0,sackOK,eol], length 0
    10:02:48.890064 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54824 > 10.13.10.12.80: Flags [s], seq 451508624, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 105135264 ecr 0,sackOK,eol], length 0
    10:02:49.985846 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54824 > 10.13.10.12.80: Flags [s], seq 451508624, win 65535, options [mss 1240,nop,wscale 4,nop,nop,TS val 105136345 ecr 0,sackOK,eol], length 0
    
    this is a trace to an external network (google.com) still leaving enc0 and actually it does work
    
    [code]10:04:11.980610 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54829 > 173.194.35.24.80: Flags [F.], seq 762, ack 174239, win 8192, options [nop,nop,TS val 105218435 ecr 887816610], length 0
    10:04:11.984472 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54828 > 173.194.35.24.80: Flags [F.], seq 555, ack 110578, win 8192, options [nop,nop,TS val 105218501 ecr 887816582], length 0
    10:04:12.137217 (authentic,confidential): SPI 0x0e8b475d: IP 173.194.35.24.80 > 192.168.79.1.54829: Flags [F.], seq 174239, ack 763, win 999, options [nop,nop,TS val 887823607 ecr 105218435], length 0
    10:04:12.137705 (authentic,confidential): SPI 0x0e8b475d: IP 173.194.35.24.80 > 192.168.79.1.54828: Flags [F.], seq 110578, ack 556, win 993, options [nop,nop,TS val 887823608 ecr 105218501], length 0
    10:04:12.432361 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54829 > 173.194.35.24.80: Flags [.], ack 174240, win 8192, options [nop,nop,TS val 105218947 ecr 887823607], length 0
    10:04:12.433974 (authentic,confidential): SPI 0x0d737aff: IP 192.168.79.1.54828 > 173.194.35.24.80: Flags [.], ack 110579, win 8192, options [nop,nop,TS val 105218947 ecr 887823608], length 0
    [/code]
    
    now sniffing LAN interface (igb0) and LAN to IPSEC traffic passes, but again one way only
    
    [code]
    10:17:02.289600 IP 10.13.10.18 > 192.168.79.1: ICMP echo request, id 1, seq 6889, length 40
    10:17:07.167121 IP 10.13.10.18 > 192.168.79.1: ICMP echo request, id 1, seq 6890, length 40
    [/code]
    
    pf rules are IPv4* any/any on both IPsec and LAN tabs and IPsec VPN network is not overlapping any other existing subnet.
    
    thanks
    
    [/s][/s][/s][/s]
    

Locked