Connected but no Traffic



  • Hello,

    I've managed to get my Android device connected via IPSec to PFSense and am getting an IP allocated to the Pool (10.1.0.1) that I can ping from the device.  When I try and ping my main network 10.0.0.0/24 (which I added a forwarding route for) and also added a FW rule to allow Any -> 10.0.0.0/24 - Any for IPSec interface I dont get anything.

    I've done a packet capture but dont see any ICMP traffic.

    I'm using Automatic Outbound NAT.
    LAN - 10.0.0.0/24
    WAN - 192.168.0.0/24
    IPSec Pool - 10.1.0.0/24

    Phase1
    Interface - WAN
    Auth - Mutual PSK + XAuth
    Neg - Aggressive
    My Ident - Dynamic DNS host.mydomain.com
    Peer Ident - user@mydomain.com
    PSK - <key>Policy Gen - Unique
    Proposal Checking  -Strict
    Enc Algo - AES128
    Hash Algo - SHA1
    DH - 2
    Lifetime - 28800
    NAT-T - Disable (Any other setting and Phase1 times out)
    DPD - Enabled, 60/5

    Phase2
    Mode - Tunnel
    Local Network - LAN (10.0.0.0/24)
    Proto - ESP
    Enc Algo - AES 128
    Hash - SHA1
    PFS Key - Off
    Lifetime - 28800

    Anyone have any ideas where/what I could look at?

    Thanks,
    WTF</key>



  • Are you trying this from inside or outside your network?



  • I was using the 3G network on my mobile, so outside. I figured the routing would have issues if I used my Wifi without a bit of fiddling



  • I've had issues in the past of this and that carrier kicking/stoppping/reseting VPN and SIP traffic (off and on)

    Maybe try it from a friend's wifi.

    That NAT-T should be on, BTW.

    On your android phone, are you forcing that route?

    I had to put

    Forwarding routes :  0.0.0.0/0  in mine to make it use the VPN tunnel 100% of time.

    I also gave it a DNS Server.  I use my own, but for you, 8.8.8.8 would be good.

    All these settings are in the Android IPsec settings.
    You are using the built in vpn client right?  Not one you downloaded?



  • If I turn on NAT-T (Enable or Force) I cant get P1 up (just times out).

    Thing is that the VPN stays up and is pretty stable but just doesn't allow traffic (in the default ipsec client I have a forward route of 10.0.0.0/24 set in the IPSec Client along with DNS of 10.0.0.10 (internal) and then 8.8.8.8)

    I only want to access 10.0.0.0/24 network via the VPN but all other net access should route over the normal 3G/Wifi data connection.

    BTW, just tested the work Wifi and it has the same issue. (there isn't any captive portal or anything blocking either)



  • Sounds like there is a second 10.0.0.0/24 subnet somewhere between your client and your server. Can you test with another subnet? Even if that wouldn't be a solution you'd still know what the problem was.

    I also had this problem when I had IPsec/OpenVPN tunnel configuration with (partly) identical names or IP ranges. Delete any that might conflict.

    Alternatively try OpenVPN.



  • Is this for the P2 Local Subnet or from the Mobile Client Virtual Address Range?



  • I also checked the Arp table and there is nothing showing for the Mobile Client IP allocated  :(



  • I've got this working thought it wasnt a fix I would normally like to use.

    I set the NAT-T to enable and rebooted PFSense, when it came back up Bingo!

    So whats causing it or if it is going to happen again I dont know.  Restarting racoon didnt help btw!



  • ohhhhhhhh…  haha.
    laughing at myself...

    When a client is disconnected and reconnected a few minutes later, it probably wont pass traffic.
    Its a weird glitch that I've been assured doesn't exist now...  But ok.

    Anyway.  Try this.

    Connect to your VPN.  Test it.
    Now, disconnect and wait 3 minutes.  Then connect again and test it.

    I bet it doesn't work now.

    Now, go to status > services and press the "restart services" button to the right of racoon / IPsec.

    Bet it works now.


  • Rebel Alliance Developer Netgate

    @kejianshi:

    ohhhhhhhh…   haha.
    laughing at myself...

    When a client is disconnected and reconnected a few minutes later, it probably wont pass traffic.
    Its a weird glitch that I've been assured doesn't exist now...   But ok.

    Anyway.  Try this.

    Connect to your VPN.  Test it.
    Now, disconnect and wait 3 minutes.  Then connect again and test it.

    I bet it doesn't work now.

    Now, go to status > services and press the "restart services" button to the right of racoon / IPsec.

    Bet it works now.

    That was a problem on older snapshots, and still is if you didn't follow this page exactly: http://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0
    Double check every setting (especially Prefer Old IPsec SA)