Ipsec with SA established, but NO traffic



  • Hello,
    I have some strange problem with IpSec. Because,I’m not IpSec guru if you need more information write me.

    I have IpCop Linux firewall distribution(pluto,iptables) in head office which is terminating 2 VPN.
    First from Pfsence,Freebsd firewall distribution(racoon,Pf) and second from debian(racoon).

    This configuration worked well,but on monday without known change and no reboot, traffic is not passing through tunnel. But SA is established and tunnel is UP. I try reboots on all endpoints without success passing traffic through. I didn't make firewall filter changes.

    I try tcpdump on both endpoints.On IpCop is see that my ICMP packets go through ipsec0 interface,but on Pfsence I see in tcpdump on external interface "Destination host unreachable 50"

    I think problem will be in PfSense side because second VPN work still well.

    There's is my configuration:

    Pfsence


    #Ifconfig

    rl0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=8 <vlan_mtu>inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
            inet6 fe80::250:fcff:fea0:20ec%rl0 prefixlen 64 scopeid 0x1
            ether 00:50:fc:a0:20:ec
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    fxp0: flags=8843 <up,broadcast,running,simplex,multicast>mtu 1500
            options=b <rxcsum,txcsum,vlan_mtu>inet 147.20.148.94 netmask 0xfffffffc broadcast 147.20.148.95
            inet6 fe80::202:b3ff:fe5b:dbb%fxp0 prefixlen 64 scopeid 0x2
            ether 00:02:b3:5b:0d:bb
            media: Ethernet autoselect (100baseTX <full-duplex>)
            status: active
    lo0: flags=8049 <up,loopback,running,multicast>mtu 16384
            inet 127.0.0.1 netmask 0xff000000
            inet6 ::1 prefixlen 128
            inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
    pfsync0: flags=41 <up,running>mtu 2020
            pfsync: syncdev: lo0 maxupd: 128
    pflog0: flags=100 <promisc>mtu 33208

    racoon.conf
    –---------------------------------------------------------------

    path pre_shared_key "/var/etc/psk.txt";

    path certificate  "/var/etc";

    remote 88.200.30.145 {
            exchange_mode main;
            my_identifier address "147.20.148.94";

    peers_identifier address 88.200.30.145;
            initial_contact on;
            support_proxy on;
            proposal_check obey;

    proposal {
                    encryption_algorithm 3des;
                    hash_algorithm md5;
                    authentication_method pre_shared_key;
                    dh_group 2;
                    lifetime time 28000 secs;
            }
            lifetime time 28000 secs;
    }

    sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
            encryption_algorithm 3des;
            authentication_algorithm hmac_md5;
            compression_algorithm deflate;
            pfs_group 2;
            lifetime time 28000 secs;
    }

    spd.conf

    spdadd 192.168.1.0/24 192.168.1.1/32 any -P in none; spdadd 192.168.1.1/32 192.168.1.0/24 any -P out none; spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/147.20.148.94-88.200.30.145/unique;
    spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/88.200.30.145-147.20.148.94/unique;


    #Netstat -sn

    fastipsec:
            0 inbound packets violated process security policy
            0 outbound packets violated process security policy
            2 outbound packets with no SA available
            0 outbound packets failed due to insufficient memory
            0 outbound packets with no route available
            0 invalid outbound packets
            0 outbound packets with bundled SAs
            0 mbufs coalesced during clone
            0 clusters coalesced during clone
            0 clusters copied during clone
            439 mbufs inserted during makespace
    ah:
            0 packets shorter than header shows
            0 packets dropped; protocol family not supported
            0 packets dropped; no TDB
            0 packets dropped; bad KCR
            0 packets dropped; queue full
            0 packets dropped; no transform
            0 replay counter wraps
            0 packets dropped; bad authentication detected
            0 packets dropped; bad authentication length
            0 possible replay packets detected
            0 packets in
            0 packets out
            0 packets dropped; invalid TDB
            0 bytes in
            0 bytes out
            0 packets dropped; larger than IP_MAXPACKET
            0 packets blocked due to policy
            0 crypto processing failures
            0 tunnel sanity check failures
            AH output histogram:
                    hmac-md5: 1615
    esp:
            0 packets shorter than header shows
            0 packets dropped; protocol family not supported
            0 packets dropped; no TDB
            0 packets dropped; bad KCR
            0 packets dropped; queue full
            0 packets dropped; no transform
            0 packets dropped; bad ilen
            0 replay counter wraps
            0 packets dropped; bad encryption detected
            0 packets dropped; bad authentication detected
            0 possible replay packets detected
            0 packets in
            1615 packets out
            0 packets dropped; invalid TDB
            0 bytes in
            93926 bytes out
            0 packets dropped; larger than IP_MAXPACKET
            0 packets blocked due to policy
            0 crypto processing failures
            0 tunnel sanity check failures
            ESP output histogram:
                    3des-cbc: 1615

    setkey -D

    147.20.148.94 88.200.30.145
            esp mode=tunnel spi=244918196(0x0e9927b4) reqid=16389(0x00004005)
            E: 3des-cbc  74b233f5 be320ffb 5262340e 7232917b 0b05bace 2368b3e1
            A: hmac-md5  6ea864f2 90d31618 39dd48de 89c95bf0
            seq=0x00000088 replay=4 flags=0x00000000 state=mature
            created: Oct  3 09:56:29 2007  current: Oct  3 10:11:38 2007
            diff: 909(s)    hard: 28000(s)  soft: 22400(s)
            last: Oct  3 10:11:37 2007      hard: 0(s)      soft: 0(s)
            current: 14648(bytes)  hard: 0(bytes)  soft: 0(bytes)
            allocated: 136  hard: 0 soft: 0
            sadb_seq=1 pid=43956 refcnt=2
    88.200.30.145 147.20.148.94
            esp mode=tunnel spi=51441993(0x0310f149) reqid=16390(0x00004006)
            E: 3des-cbc  4c4746d4 c9ba287a 9630340b 500ba432 fc6599af 66778117
            A: hmac-md5  a715036a d0dca9ad ccd2e914 fd695b4a
            seq=0x00000000 replay=4 flags=0x00000000 state=mature
            created: Oct  3 09:56:29 2007  current: Oct  3 10:11:38 2007
            diff: 909(s)    hard: 28000(s)  soft: 22400(s)
            last:                          hard: 0(s)      soft: 0(s)
            current: 0(bytes)      hard: 0(bytes)  soft: 0(bytes)
            allocated: 0    hard: 0 soft: 0
            sadb_seq=0 pid=43956 refcnt=1

    setkey -DP

    192.168.1.0/24[any] 192.168.1.1[any] any
            in none
            spid=9 seq=3 pid=44004
            refcnt=1
    192.168.0.0/24[any] 192.168.1.0/24[any] any
            in ipsec
            esp/tunnel/88.200.30.145-147.20.148.94/unique#16390
            spid=12 seq=2 pid=44004
            refcnt=1
    192.168.1.1[any] 192.168.1.0/24[any] any
            out none
            spid=10 seq=1 pid=44004
            refcnt=1
    192.168.1.0/24[any] 192.168.0.0/24[any] any
            out ipsec
            esp/tunnel/147.20.148.94-88.200.30.145/unique#16389
            spid=11 seq=0 pid=44004
            refcnt=1

    Tcpdump on external interface on command, ping -S 192.168.1.1 192.168.0.1

    10:13:21.140393 IP 147.20.148.94 > 88.200.30.145: ESP(spi=0x0e9927b4,seq=0x98), length 116
    10:13:21.151791 IP 88.200.30.145 > 147.20.148.94: ICMP 88.200.30.145 protocol 50 unreachable, length 144</promisc></up,running></up,loopback,running,multicast></full-duplex></rxcsum,txcsum,vlan_mtu></up,broadcast,running,simplex,multicast></full-duplex></vlan_mtu></up,broadcast,running,simplex,multicast>



  • Hi,
    old posting but i can´t find anything that matches my Problem as exactly as this Post.
    Did you find any help to fix this?
    Ive got the same Problem with a Fritz!Box, first anything ok but after an reconnect the Tunnel came up but i can´t send any Traffic trough the Tunnel.

    Any ideas?

    Thilo



  • Ipcop and pfsense works as it should in 1.2 release. I think you should check you config again…., is your ruleset in pfsense OK?


Log in to reply