2.0.3 vs DD-WRT and Shrewsoft VPN
-
Scenario 1 - Home = Win7 client machine with Shrewsoft IPSEC vpn client behind DD-WRT connecting to pfSense 1.2.3 and 2.0.3 external independent sites; 3 different businesses. Success for Shrewsoft ipsec vpn client - can ping and resolve hostname on remote 1.2.3 and 2.0.3 sites.
Scenario 2 - Home = Win7 client machine with Shrewsoft IPSEC vpn client behind pfSense 1.2.3 or 2.0.3 connecting to pfSense 2.0.3 external independent sites; 3 different businesses. Client connects fine to all the 1.2.3 sites, BUT with remote 2.0.3 it does not ping hosts on remote site AFTER disconnecting for several minutes and reconnecting. Shrewsoft connects fine, but does not resolve or ping remote hosts on 2.0.3 router.
Only change is DD-WRT vs pfSense 1.2.3/2.0.3 at home. All equipment were powered off and turned back on to ensure no stale NATTing etc…
UPDATE: This symptom is also affects latest snapshot pfSense-memstick-2.1-RC0-i386-20130707-2034.
-
Looks like this is persistent issues with IPSEC implementation on 2.x.
http://redmine.pfsense.org/issues/1351
http://forum.pfsense.org/index.php?action=printpage;topic=42627.0 -
To confirm, I freshly installed 1.2.3 and 2.0.3 at home and connected to remote pfSense 2.0.3 router and connected via Shrewsoft IPSEC VPN from home and results are the same. After a few minutes of disconnecting the IPSEC client and reconnecting, I can no longer ping or scan the remote 2.0.3 network. If I swap out my home pfsense 1.2.3 or 2.0.3 and use DD-WRT, I have no issue. It seems the problem is connecting between pfSense routers with Shrewsoft IPSEC VPN client.
-
Final testing on IPSEC issues:
I have been using 1.2.3, 2.0.3, and latest snapshot as my SOURCE at home to connect to DESTINATIONS sites ranging from pfSense 1.2.3 to 2.0.3. No problem connecting to 1.2.3 remote sites via IPSEC. I finally reproduced consistently that destination must be 2.0.3 (perhaps the 2.x tree even ) for IPSEC connection to eventually time out; where connection still works but no routing or name resolution occur after second reconnect attempt (after several minutes).
If my source is DD-WRT, it does not matter whether I am connecting to destination 1.2.3 or 2.0.3, it works always. I tried all types of Shrewsoft client settings and pfSense settings (type of cipher, DPD, NAT-T, etc - results are the same). You must restart racoon service to get back to normal.
You can reproduce this IPSEC issue by being behind 1.2.3 - to current snapshot and you connect to a remote 2.x site using Shrewsoft VPN client and waiting to reconnect 5 minutes or later - you will lose routing and obviously name resolution. From my readings here, this not only affects IPSEC client connections, but even IPSEC VPN Site to site (I have not personally tested this scenario). I am done testing this - I am 100% certain of this issue.