Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec with SA established, but NO traffic

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xterminal
      last edited by

      Hello,
      I have some strange problem with IpSec. Because,I’m not IpSec guru if you need more information write me.

      I have IpCop Linux firewall distribution(pluto,iptables) in head office which is terminating 2 VPN.
      First from Pfsence,Freebsd firewall distribution(racoon,Pf) and second from debian(racoon).

      This configuration worked well,but on monday without known change and no reboot, traffic is not passing through tunnel. But SA is established and tunnel is UP. I try reboots on all endpoints without success passing traffic through. I didn't make firewall filter changes.

      I try tcpdump on both endpoints.On IpCop is see that my ICMP packets go through ipsec0 interface,but on Pfsence I see in tcpdump on external interface "Destination host unreachable 50"

      I think problem will be in PfSense side because second VPN work still well.

      There's is my configuration:

      Pfsence


      #Ifconfig

      rl0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
              options=8 <vlan_mtu>inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
              inet6 fe80::250:fcff:fea0:20ec%rl0 prefixlen 64 scopeid 0x1
              ether 00:50:fc:a0:20:ec
              media: Ethernet autoselect (100baseTX <full-duplex>)
              status: active
      fxp0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
              options=b <rxcsum,txcsum,vlan_mtu>inet 147.20.148.94 netmask 0xfffffffc broadcast 147.20.148.95
              inet6 fe80::202:b3ff:fe5b:dbb%fxp0 prefixlen 64 scopeid 0x2
              ether 00:02:b3:5b:0d:bb
              media: Ethernet autoselect (100baseTX <full-duplex>)
              status: active
      lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
              inet 127.0.0.1 netmask 0xff000000
              inet6 ::1 prefixlen 128
              inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
      pfsync0: flags=41 <up,running>mtu 2020
              pfsync: syncdev: lo0 maxupd: 128
      pflog0: flags=100 <promisc>mtu 33208

      racoon.conf
      –---------------------------------------------------------------

      path pre_shared_key "/var/etc/psk.txt";

      path certificate  "/var/etc";

      remote 88.200.30.145 {
              exchange_mode main;
              my_identifier address "147.20.148.94";

      peers_identifier address 88.200.30.145;
              initial_contact on;
              support_proxy on;
              proposal_check obey;

      proposal {
                      encryption_algorithm 3des;
                      hash_algorithm md5;
                      authentication_method pre_shared_key;
                      dh_group 2;
                      lifetime time 28000 secs;
              }
              lifetime time 28000 secs;
      }

      sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
              encryption_algorithm 3des;
              authentication_algorithm hmac_md5;
              compression_algorithm deflate;
              pfs_group 2;
              lifetime time 28000 secs;
      }

      spd.conf

      spdadd 192.168.1.0/24 192.168.1.1/32 any -P in none; spdadd 192.168.1.1/32 192.168.1.0/24 any -P out none; spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/147.20.148.94-88.200.30.145/unique;
      spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/88.200.30.145-147.20.148.94/unique;


      #Netstat -sn

      fastipsec:
              0 inbound packets violated process security policy
              0 outbound packets violated process security policy
              2 outbound packets with no SA available
              0 outbound packets failed due to insufficient memory
              0 outbound packets with no route available
              0 invalid outbound packets
              0 outbound packets with bundled SAs
              0 mbufs coalesced during clone
              0 clusters coalesced during clone
              0 clusters copied during clone
              439 mbufs inserted during makespace
      ah:
              0 packets shorter than header shows
              0 packets dropped; protocol family not supported
              0 packets dropped; no TDB
              0 packets dropped; bad KCR
              0 packets dropped; queue full
              0 packets dropped; no transform
              0 replay counter wraps
              0 packets dropped; bad authentication detected
              0 packets dropped; bad authentication length
              0 possible replay packets detected
              0 packets in
              0 packets out
              0 packets dropped; invalid TDB
              0 bytes in
              0 bytes out
              0 packets dropped; larger than IP_MAXPACKET
              0 packets blocked due to policy
              0 crypto processing failures
              0 tunnel sanity check failures
              AH output histogram:
                      hmac-md5: 1615
      esp:
              0 packets shorter than header shows
              0 packets dropped; protocol family not supported
              0 packets dropped; no TDB
              0 packets dropped; bad KCR
              0 packets dropped; queue full
              0 packets dropped; no transform
              0 packets dropped; bad ilen
              0 replay counter wraps
              0 packets dropped; bad encryption detected
              0 packets dropped; bad authentication detected
              0 possible replay packets detected
              0 packets in
              1615 packets out
              0 packets dropped; invalid TDB
              0 bytes in
              93926 bytes out
              0 packets dropped; larger than IP_MAXPACKET
              0 packets blocked due to policy
              0 crypto processing failures
              0 tunnel sanity check failures
              ESP output histogram:
                      3des-cbc: 1615

      setkey -D

      147.20.148.94 88.200.30.145
              esp mode=tunnel spi=244918196(0x0e9927b4) reqid=16389(0x00004005)
              E: 3des-cbc  74b233f5 be320ffb 5262340e 7232917b 0b05bace 2368b3e1
              A: hmac-md5  6ea864f2 90d31618 39dd48de 89c95bf0
              seq=0x00000088 replay=4 flags=0x00000000 state=mature
              created: Oct  3 09:56:29 2007  current: Oct  3 10:11:38 2007
              diff: 909(s)    hard: 28000(s)  soft: 22400(s)
              last: Oct  3 10:11:37 2007      hard: 0(s)      soft: 0(s)
              current: 14648(bytes)  hard: 0(bytes)  soft: 0(bytes)
              allocated: 136  hard: 0 soft: 0
              sadb_seq=1 pid=43956 refcnt=2
      88.200.30.145 147.20.148.94
              esp mode=tunnel spi=51441993(0x0310f149) reqid=16390(0x00004006)
              E: 3des-cbc  4c4746d4 c9ba287a 9630340b 500ba432 fc6599af 66778117
              A: hmac-md5  a715036a d0dca9ad ccd2e914 fd695b4a
              seq=0x00000000 replay=4 flags=0x00000000 state=mature
              created: Oct  3 09:56:29 2007  current: Oct  3 10:11:38 2007
              diff: 909(s)    hard: 28000(s)  soft: 22400(s)
              last:                          hard: 0(s)      soft: 0(s)
              current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
              allocated: 0    hard: 0 soft: 0
              sadb_seq=0 pid=43956 refcnt=1

      setkey -DP

      192.168.1.0/24[any] 192.168.1.1[any] any
              in none
              spid=9 seq=3 pid=44004
              refcnt=1
      192.168.0.0/24[any] 192.168.1.0/24[any] any
              in ipsec
              esp/tunnel/88.200.30.145-147.20.148.94/unique#16390
              spid=12 seq=2 pid=44004
              refcnt=1
      192.168.1.1[any] 192.168.1.0/24[any] any
              out none
              spid=10 seq=1 pid=44004
              refcnt=1
      192.168.1.0/24[any] 192.168.0.0/24[any] any
              out ipsec
              esp/tunnel/147.20.148.94-88.200.30.145/unique#16389
              spid=11 seq=0 pid=44004
              refcnt=1

      Tcpdump on external interface on command, ping -S 192.168.1.1 192.168.0.1

      10:13:21.140393 IP 147.20.148.94 > 88.200.30.145: ESP(spi=0x0e9927b4,seq=0x98), length 116
      10:13:21.151791 IP 88.200.30.145 > 147.20.148.94: ICMP 88.200.30.145 protocol 50 unreachable, length 144</promisc></up,running></up,loopback,running,multicast></full-duplex></rxcsum,txcsum,vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>

      1 Reply Last reply Reply Quote 0
      • S
        soulreaver
        last edited by

        Hi,
        old posting but i can´t find anything that matches my Problem as exactly as this Post.
        Did you find any help to fix this?
        Ive got the same Problem with a Fritz!Box, first anything ok but after an reconnect the Tunnel came up but i can´t send any Traffic trough the Tunnel.

        Any ideas?

        Thilo

        1 Reply Last reply Reply Quote 0
        • H
          heiko
          last edited by

          Ipcop and pfsense works as it should in 1.2 release. I think you should check you config again…., is your ruleset in pfsense OK?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.