No traffic going through ipsec tunnel



  • After quite a bit of mucking around with the Cisco ASA 5500 and searching a bit in here, I have finally gotten pfsense to connect to the cisco box, saying the tunnel has been established. But no traffic ever goes through the tunnel.

    From my experiences with FreeBSD, I was expecting to see a tun or gif interface when I typed ifconfig on a command line. But all I could see was fxp0 (WAN), bge0 (LAN), lo0 (loopback) and enc0 (no idea what this one is).

    Lan subnet is 10.120.1.0/24 and the remote net is 10.21.0.0/16.

    When I try to ping 10.21.1.2 from a pc on the local lan, I get no replies. When I try the same from the command line on the pfsense machine, I get Destination host unreachable from the default gateway of my WAN interface. So something tells me that the routing is off.

    Any ideas? Am I supposed to add the routes manually? Let me know if you need to see any logs etc.

    System logs -> IPSEC:

    
    Aug 20 11:36:02	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 20 11:36:02	racoon: INFO: received Vendor ID: CISCO-UNITY
    Aug 20 11:36:02	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Aug 20 11:36:02	racoon: INFO: received Vendor ID: DPD
    Aug 20 11:36:02	racoon: INFO: ISAKMP-SA established <wan-ip>[500]-<remote-ip>[500] spi:a0a1e99d3cd8100c:14cdd0e88b250a44
    Aug 20 11:36:03	racoon: INFO: initiate new phase 2 negotiation: <wan-ip>[0]<=><remote-ip>[0]
    Aug 20 11:36:03	racoon: ERROR: unknown notify message, no phase2 handle found.
    Aug 20 11:36:03	racoon: INFO: purging ISAKMP-SA spi=a0a1e99d3cd8100c:14cdd0e88b250a44.
    Aug 20 11:36:03	racoon: INFO: purged IPsec-SA spi=135854306.
    Aug 20 11:36:03	racoon: INFO: purged ISAKMP-SA spi=a0a1e99d3cd8100c:14cdd0e88b250a44.
    Aug 20 11:36:04	racoon: INFO: ISAKMP-SA deleted <wan-ip>[500]-<remote-ip>[500] spi:a0a1e99d3cd8100c:14cdd0e88b250a44
    Aug 20 11:36:15	racoon: INFO: IPsec-SA request for <remote-ip>queued due to no phase1 found.
    Aug 20 11:36:15	racoon: INFO: initiate new phase 1 negotiation: <wan-ip>[500]<=><remote-ip>[500]
    Aug 20 11:36:15	racoon: INFO: begin Identity Protection mode.
    Aug 20 11:36:15	racoon: INFO: received broken Microsoft ID: FRAGMENTATION
    Aug 20 11:36:15	racoon: INFO: received Vendor ID: CISCO-UNITY
    Aug 20 11:36:15	racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
    Aug 20 11:36:15	racoon: INFO: received Vendor ID: DPD
    Aug 20 11:36:15	racoon: INFO: ISAKMP-SA established <wan-ip>[500]-<remote-ip>[500] spi:d90c6706c1312f6f:e38bfbcb2c2dc781
    Aug 20 11:36:16	racoon: INFO: initiate new phase 2 negotiation: <wan-ip>[0]<=><remote-ip>[0]
    Aug 20 11:36:16	racoon: INFO: IPsec-SA established: ESP/Tunnel <remote-ip>[0]-><wan-ip>[0] spi=219726770(0xd18c3b2)
    Aug 20 11:36:16	racoon: INFO: IPsec-SA established: ESP/Tunnel <wan-ip>[0]-><remote-ip>[0] spi=2472181272(0x935a7e18)
    Aug 20 11:53:49	racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=16)
    Aug 20 11:53:49	racoon: INFO: ::1[500] used as isakmp port (fd=17)
    Aug 20 11:53:49	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=18)
    Aug 20 11:53:49	racoon: INFO: <wan-ip>[500] used as isakmp port (fd=19)
    Aug 20 11:53:49	racoon: INFO: fe80::290:27ff:fe58:1b14%fxp0[500] used as isakmp port (fd=20)
    Aug 20 11:53:49	racoon: INFO: fe80::211:25ff:fefd:7d1e%bge0[500] used as isakmp port (fd=21)
    Aug 20 11:53:49	racoon: INFO: 10.120.1.1[500] used as isakmp port (fd=22)
    Aug 20 11:53:49	racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=16)
    Aug 20 11:53:49	racoon: INFO: ::1[500] used as isakmp port (fd=17)
    Aug 20 11:53:49	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=18)
    Aug 20 11:53:49	racoon: INFO: <wan-ip>[500] used as isakmp port (fd=19)
    Aug 20 11:53:49	racoon: INFO: fe80::290:27ff:fe58:1b14%fxp0[500] used as isakmp port (fd=20)
    Aug 20 11:53:49	racoon: INFO: fe80::211:25ff:fefd:7d1e%bge0[500] used as isakmp port (fd=21)
    Aug 20 11:53:49	racoon: INFO: 10.120.1.1[500] used as isakmp port (fd=22)
    Aug 20 12:23:49	racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=16)
    Aug 20 12:23:49	racoon: INFO: ::1[500] used as isakmp port (fd=17)
    Aug 20 12:23:49	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=18)
    Aug 20 12:23:49	racoon: INFO: <wan-ip>[500] used as isakmp port (fd=19)
    Aug 20 12:23:49	racoon: INFO: fe80::290:27ff:fe58:1b14%fxp0[500] used as isakmp port (fd=20)
    Aug 20 12:23:49	racoon: INFO: fe80::211:25ff:fefd:7d1e%bge0[500] used as isakmp port (fd=21)
    Aug 20 12:23:49	racoon: INFO: 10.120.1.1[500] used as isakmp port (fd=22)
    Aug 20 12:23:49	racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=16)
    Aug 20 12:23:49	racoon: INFO: ::1[500] used as isakmp port (fd=17)
    Aug 20 12:23:49	racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=18)
    Aug 20 12:23:49	racoon: INFO: <wan-ip>[500] used as isakmp port (fd=19)
    Aug 20 12:23:49	racoon: INFO: fe80::290:27ff:fe58:1b14%fxp0[500] used as isakmp port (fd=20)
    Aug 20 12:23:49	racoon: INFO: fe80::211:25ff:fefd:7d1e%bge0[500] used as isakmp port (fd=21)
    Aug 20 12:23:49	racoon: INFO: 10.120.1.1[500] used as isakmp port (fd=22)</wan-ip></wan-ip></wan-ip></wan-ip></remote-ip></wan-ip></wan-ip></remote-ip></remote-ip></wan-ip></remote-ip></wan-ip></remote-ip></wan-ip></remote-ip></remote-ip></wan-ip></remote-ip></wan-ip></remote-ip></wan-ip> 
    


  • did you add a firewall rule that allows traffic trough the tunnel?



  • I tried adding rules allowing any protocol from 10.21.0.0/16 to 10.120.1.0/24 and from 10.120.1.0/24 to 10.21.0.0/16 (both rules on the IPSEC tab).

    Is that correct?



  • What worries me the most is the fact that pfsense does not seem to know that 10.21.0.0/16 is at the other end of the tunnel. It's clearly routing the wrong way when I try to ping 10.21.1.2 from the pfsense console. I get Destination Host Unreachable messages from the gateway of my WAN-IP.



  • @Dawk:

    I tried adding rules allowing any protocol from 10.21.0.0/16 to 10.120.1.0/24 and from 10.120.1.0/24 to 10.21.0.0/16 (both rules on the IPSEC tab).

    Is that correct?

    you create rules on the interface on which the traffic comes into pfSense.

    so if your remote network is 10.21.0.0/16 you create on the IPSEC tab a rule that allows this subnet as source to destination wherever you want it allowed to (i suppose you want it to access your LAN subnet).

    you also need to create a rule on your LAN-tab that allows traffic from your LAN-subnet to your remote subnet.

    on your IPSEC config page. did you set the field "remote subnet" with the correct subnet?



  • Yes, the subnet is specified correctly. I also added the rules you specified to the LAN and IPSEC tabs. No difference - there is still absolutely no traffic going through the tunnel. Isn't the tunnel supposed to be shown, if I run ifconfig from the command prompt on the pfsense console? Is it the enc0 interface? Should it have an IP address?



  • I personally dont use ipsec but i just setup successfully a tunnel between two of my boxes.
    I dont know what the enc0 is but i suppose it is the tunnel since i didnt had it show up on the list before.

    The steps i took:
    1: Enable ipsec on both sides.
    2: Enter the same config on both sides.
    -preshared key
    -same lifetimes
    -correct interface on which the tunnel will be established
    -opposite public IP
    -the correct remote subnet with correct netmask
    -as keep-alive-ping-adress the other sides internal gateway ip
    3: Add on both sides under firewall on the ipsec-tab an allow any to any rule. (modify if necessary the LAN rule. but mine is allow any to any so i didnt need to change it)

    And it just works. I can ping hosts in the remote subnet.
    Maybe you could post here which steps you took.



  • What worries me the most is the fact that pfsense does not seem to know that 10.21.0.0/16 is at the other end of the tunnel.

    This is the way it is.
    The machine itself indeed does not now anything about the other network, this is something with ipsec.
    If you go to another network from the box itself it will always go through his own default gateway, even if you go to the other network of the ipsec tunnel.



  • Hallo!
    Ein guter Beitrag, der zu einer wichtigen Erkenntnis führte: Oft ist der intuitive Weg der bessere!
    Diese Anleitung http://pfsense.bol2riz.com/tutorials/mobile_ipsec/ ist definitiv nicht zu empfehlen für die Verbindung zweier "1.2-RC3". Es ist leider derzeit die einzige Anleitung für IPSec, die schnell zu finden ist. Die Eintragung zweier Tunnel und "Pre-shared keys" wie oben beschrieben führt jedenfalls zum Erfolg; das kann ich bestätigen.

    Hello!
    A good contribution, which led to an important realization: Often the intuitive way is the better! This guidance http://pfsense.bol2riz.com/tutorials/mobile_ipsec/ is not recommended for the connection of two "1.2-RC3". It is unfortunately at present the only guidance for IPSec, which is to be found fast. The entry of two tunnels and "Pre-shared keys" as described leads above anyhow to success; I can confirm that.

    Grüße FBI01



  • BUMP.

    I seem to be having a similar issue with this.  It seems that routing will just STOP completely.  It'll be working just fine, i'll step away for a minute and then nothing will be working all of a sudden.

    I'll post whatever logs you want, I have a tunnel from my home PFSense firewall to 2 remote PFSense firewalls. 
    Home Network: 192.168.112.1/24
    Remote Network:  192.168.113.1/24
    Remote Network:  216.222.x.x/24

    For the record this DOES work and eventually seems to start working again after a little while; sometimes after a reboot, sometimes just on its own.  I DO have the firewall rules setup.  I wish these problems were a little more easily solvable.  For a product that bills itself as "more stable than most commercial firewalls" it can be hard to recommend when the documentation is so outdated or non existent and problems like this just seem to "happen."



  • First of all,

    • ipsec routing is automatically and out of the box.
    • as gruensFroeschli said: rules from LAN to IPSEC (LAN Tab) - Rules from IPSEC to LAN ( IPSEC Tab)
    • if you use the pfsense ping in the webgui you choose the LAN Interface not the WAN
    • which pfsense release do yu use, you should try a recent snaphsot
    • ipsec is absolut stable at the moment with 1.2rc5 (inofficial)
    • enc0 is the ipsec interface

    Greetings
    heiko

    look also here http://forum.pfsense.org/index.php/topic,7822.0.html



  • I am having this same problem, it works for some time and just out of the blues stops working… and there is nothing you can do to bring the tunnel back.... the tunnel will come back when he is ready hehe... any ideas?

    Another thing i discovered is that is not in the pfsense guide is that you have to add a rule on the WAN interface for the port 500 TCP.



  • Actually i don´t know if pfsense 1.2 open the udp500 and esp Ports/protocols behind the scenes. For my configs i have made two rules on the wan tab, pass udp 500 and the second rule opens the esp protocol. In the past, a half year or so, the ipec tunnels works only in a cluster sceanario with this two rules….

    But, i have several pfsense 1.2 ipsec boxes around the world and all of them works as it should with ipsec.... ;)



  • We do create rules for IPSEC behind the scenes. In the past you only had to add those rules manually if you were running ipsec on VIPs like CARP but I think we nowadays even create rules for those since you now can specify the CARP IPs as endpoints in the tunnelconfiguration.


Locked