No traffic going through ipsec tunnel

GruensFroeschli

@Dawk:

I tried adding rules allowing any protocol from 10.21.0.0/16 to 10.120.1.0/24 and from 10.120.1.0/24 to 10.21.0.0/16 (both rules on the IPSEC tab).

Is that correct?

you create rules on the interface on which the traffic comes into pfSense.

so if your remote network is 10.21.0.0/16 you create on the IPSEC tab a rule that allows this subnet as source to destination wherever you want it allowed to (i suppose you want it to access your LAN subnet).

you also need to create a rule on your LAN-tab that allows traffic from your LAN-subnet to your remote subnet.

on your IPSEC config page. did you set the field "remote subnet" with the correct subnet?

Dawk

Yes, the subnet is specified correctly. I also added the rules you specified to the LAN and IPSEC tabs. No difference - there is still absolutely no traffic going through the tunnel. Isn't the tunnel supposed to be shown, if I run ifconfig from the command prompt on the pfsense console? Is it the enc0 interface? Should it have an IP address?

GruensFroeschli

I personally dont use ipsec but i just setup successfully a tunnel between two of my boxes.
I dont know what the enc0 is but i suppose it is the tunnel since i didnt had it show up on the list before.

The steps i took:
1: Enable ipsec on both sides.
2: Enter the same config on both sides.
-preshared key
-same lifetimes
-correct interface on which the tunnel will be established
-opposite public IP
-the correct remote subnet with correct netmask
-as keep-alive-ping-adress the other sides internal gateway ip
3: Add on both sides under firewall on the ipsec-tab an allow any to any rule. (modify if necessary the LAN rule. but mine is allow any to any so i didnt need to change it)

And it just works. I can ping hosts in the remote subnet.
Maybe you could post here which steps you took.

Sylhouette

What worries me the most is the fact that pfsense does not seem to know that 10.21.0.0/16 is at the other end of the tunnel.

This is the way it is.
The machine itself indeed does not now anything about the other network, this is something with ipsec.
If you go to another network from the box itself it will always go through his own default gateway, even if you go to the other network of the ipsec tunnel.

FBI01

Hallo!
Ein guter Beitrag, der zu einer wichtigen Erkenntnis führte: Oft ist der intuitive Weg der bessere!
Diese Anleitung http://pfsense.bol2riz.com/tutorials/mobile_ipsec/ ist definitiv nicht zu empfehlen für die Verbindung zweier "1.2-RC3". Es ist leider derzeit die einzige Anleitung für IPSec, die schnell zu finden ist. Die Eintragung zweier Tunnel und "Pre-shared keys" wie oben beschrieben führt jedenfalls zum Erfolg; das kann ich bestätigen.

Hello!
A good contribution, which led to an important realization: Often the intuitive way is the better! This guidance http://pfsense.bol2riz.com/tutorials/mobile_ipsec/ is not recommended for the connection of two "1.2-RC3". It is unfortunately at present the only guidance for IPSec, which is to be found fast. The entry of two tunnels and "Pre-shared keys" as described leads above anyhow to success; I can confirm that.

Grüße FBI01

maeltor

BUMP.

I seem to be having a similar issue with this.  It seems that routing will just STOP completely.  It'll be working just fine, i'll step away for a minute and then nothing will be working all of a sudden.

I'll post whatever logs you want, I have a tunnel from my home PFSense firewall to 2 remote PFSense firewalls. 
Home Network: 192.168.112.1/24
Remote Network:  192.168.113.1/24
Remote Network:  216.222.x.x/24

For the record this DOES work and eventually seems to start working again after a little while; sometimes after a reboot, sometimes just on its own.  I DO have the firewall rules setup.  I wish these problems were a little more easily solvable.  For a product that bills itself as "more stable than most commercial firewalls" it can be hard to recommend when the documentation is so outdated or non existent and problems like this just seem to "happen."

heiko

First of all,

• ipsec routing is automatically and out of the box.
• as gruensFroeschli said: rules from LAN to IPSEC (LAN Tab) - Rules from IPSEC to LAN ( IPSEC Tab)
• if you use the pfsense ping in the webgui you choose the LAN Interface not the WAN
• which pfsense release do yu use, you should try a recent snaphsot
• ipsec is absolut stable at the moment with 1.2rc5 (inofficial)
• enc0 is the ipsec interface

Greetings
heiko

look also here http://forum.pfsense.org/index.php/topic,7822.0.html

songus

I am having this same problem, it works for some time and just out of the blues stops working… and there is nothing you can do to bring the tunnel back.... the tunnel will come back when he is ready hehe... any ideas?

Another thing i discovered is that is not in the pfsense guide is that you have to add a rule on the WAN interface for the port 500 TCP.

heiko

Actually i don´t know if pfsense 1.2 open the udp500 and esp Ports/protocols behind the scenes. For my configs i have made two rules on the wan tab, pass udp 500 and the second rule opens the esp protocol. In the past, a half year or so, the ipec tunnels works only in a cluster sceanario with this two rules….

But, i have several pfsense 1.2 ipsec boxes around the world and all of them works as it should with ipsec.... ;)

hoba

We do create rules for IPSEC behind the scenes. In the past you only had to add those rules manually if you were running ipsec on VIPs like CARP but I think we nowadays even create rules for those since you now can specify the CARP IPs as endpoints in the tunnelconfiguration.