Tunnel connect but no data can pass
-
pfsense2.0.3(i386) + vmware
I set a vpn like this
(11.1.1.1) R1 (12.1.1.1) –> (12.1.1.2) R2 (23.1.1.1) --> (23.1.1.1) R3 (33.1.1.1)1:
R1 default gateway to 12.1.1.2
R3 default gateway to 23.1.1.1
2:permit any in all wan interface
3:I can see tunnel is connect success.
4:in R1 ping 23.1.1.1 success, in r3 ping 12.1.1.1 success.
5:when I run command in R1 "ping -S 11.1.1.1 33.1.1.1"
I can see data is sended in status->ipsec->SAD
but the ping don't get any respond.
6:in log firewall I can see deny icmp log
block Jul 10 01:56:11 enc0 33.1.1.1 11.1.1.1 ICMP
7:no nat hereplease help me.
+++++++++++++++r1.conf+++++++++++++++++++
[2.0.3-RELEASE][root@pfSense.localdomain]/root(1): cat /var/etc/racoon.confThis file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 12.1.1.1 [500];
isakmp_natt 12.1.1.1 [4500];
}remote 23.1.1.2
{
ph1id 1;
exchange_mode main;
my_identifier address 12.1.1.1;
peers_identifier address 23.1.1.2;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = on;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}sainfo subnet 11.1.1.0/24 any subnet 33.1.1.0/24 any
{
remoteid 1;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
[2.0.3-RELEASE][root@pfSense.localdomain]/root(2):
+++++++++++++++++++++++++++++++++–---------------------R3.CONF--------------------------
[2.0.3-RELEASE][root@pfSense.localdomain]/root(1): cat /var/etc/racoon.confThis file is automatically generated. Do not edit
path pre_shared_key "/var/etc/psk.txt";
path certificate "/var/etc";
listen
{
adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;
isakmp 23.1.1.2 [500];
isakmp_natt 23.1.1.2 [4500];
}remote 12.1.1.1
{
ph1id 1;
exchange_mode main;
my_identifier address 23.1.1.2;
peers_identifier address 12.1.1.1;
ike_frag on;
generate_policy = off;
initial_contact = on;
nat_traversal = on;dpd_delay = 10;
dpd_maxfail = 5;
support_proxy on;
proposal_check claim;proposal
{
authentication_method pre_shared_key;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
lifetime time 28800 secs;
}
}sainfo subnet 33.1.1.0/24 any subnet 11.1.1.0/24 any
{
remoteid 1;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
pfs_group 2;
lifetime time 3600 secs;
compression_algorithm deflate;
}
[2.0.3-RELEASE][root@pfSense.localdomain]/root(2):
–----------------------------------------------------- -
permit in rule->ipsec ,then it's ok