Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED …ISH - PFSENSE 2.1 Release breaks IPSEC over PPPOE ??

    Scheduled Pinned Locked Moved IPsec
    7 Posts 5 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dwood
      last edited by

      EDIT2:  The issue with 2.1 is that on Multi-Wan setup with load balancing group, assigned IPSEC interface must also be Default interface in routing…this may be a bug.  See my third post.

      EDIT: renamed thread.  After reinstalling from scratch, and following the 2.1 https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0 IPSEC doc, it became clear that the issue is actually IPSEC over PPPOE on 2.1 on a fresh 2.1 AMD64 install.  I get the unknown gateway message when attempting to configure IPSEC on WAN1 (PPPOE -DSL account), however all is good on WAN2 (Cable - DHCP).

      Anyone seeing same?

      My update to 2.1 worked great...except IPSEC is broken.  I was using Shrewsoft successfully their recommended setup: https://doc.pfsense.org/index.php/IPSec_Road_Warrior/Mobile_Client_How-To

      This stopped working after 2.1.

      I've redone the IPsec setup using this: https://doc.pfsense.org/index.php/Mobile_IPsec_on_2.0

      In testing via iOS I am able to connect only if I disable NAT traversal.  A few clues are that enabling NAT traversal (force or enable) breaks the connection, however once connected  (with Nat traversal disabled), I cannot pull up an LAN ips.  The static IP of my WAN connection is changed to X.X.X.X.

      This error is being generated by raccoon in debug mode:
      Sep 16 19:22:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: 1 times of 92 bytes message will be sent to 184.151.61.39[60225]
      Sep 16 19:22:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: send packet to 184.151.61.39[60225]
      Sep 16 19:22:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: send packet from X.X.X.X[500]
      Sep 16 19:22:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: sockname X.X.X.X[500]
      Sep 16 19:22:15 racoon: [Unknown Gateway/Dynamic]: DEBUG: 92 bytes from X.X.X.X[500] to 184.151.61.39[60225]

      Is there anything new in 2.1 that may have broken IPSEC?

      1 Reply Last reply Reply Quote 0
      • D
        dwood
        last edited by

        EDIT:  IPSEC fails over WAN1 (PPPOE - DLS connection), but okay on WAN2 (cable - DHCP)

        This may be an  updgrade vs rebuild and restore situation.  Everything works correctly on router 2 which never had vpn configured previously.

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          Unknown Gateway/Dynamic is no error, perfectly normal. Then again, it works just fine here with PPPoE. (Note: iThings not tested.)

          1 Reply Last reply Reply Quote 0
          • D
            dwood
            last edited by

            And finally after more investigation…the answer seems to be a multi-wan / rules issue under 2.1 Release.  I can connect properly with routing etc. and no "Unknown Gateway" errors in raccon providing I configure as below:

            IF the ipsec interface is assigned to WAN1, then WAN1 must be set as default under SYSTEM -> ROUTING -> GATEWAYS (in my setup WAN1 and WAN2 are set up as a Gateway "LOADBALANCE" group for load balancing).

            If the IPSEC interface is set to WAN2, then WAN2 must be set as default under SYSTEM -> ROUTING -> GATEWAYS

            I can now enable NAT traversal, connect, and access IP addresses on the LAN...providing the IPSEC WAN assignment and default WAN are the same.

            Any ideas on how to enable both WAN1 and WAN2 interfaces for IPSEC? ...obviously both can't be default interfaces.

            1 Reply Last reply Reply Quote 0
            • M
              maldex
              last edited by

              seems then like the racoon-traffic follows the default route and the setting in the gui is used for 'my ip' identifaction?

              a further try would be defining a firewall routing rule for the remote peer over wan2, so there is actually a route for the remote ip through wan2 which racoon could follow.

              my 2 cents & cheers

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Bind it to LAN, and port forward udp/4500 from WAN1 to LAN IP, and WAN2 to LAN IP. You might have to manually set an identifier for the server side ("My Identifier"), but it may just work.

                Works great for OpenVPN, I presume it should also work for IPsec with NAT-T. Might work with IPsec without NAT-T, but I wouldn't hold my breath (udp/500 and esp forwarded also if you want to try)

                Then so long as your WAN1/WAN2 rules passing in the traffic are on the correct tabs (not on an interface group), the traffic should flow back out the way it came in.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • C
                  CDuv
                  last edited by

                  I kind of had the same issue with similar setup

                  Until now I had an IPSec tunnel configured to listen to interface "WAN_A" which was the only one available.
                  We added more connection (multi-WAN) and WAN_A is not the "Default gateway" anymore.

                  By looking at client-side tcpdumps and pfSense logs I can tell the client can send traffic to pfSense (show on IPSec logs) but never receives anything back (confirmed by IPSec logs: "racoon: [CLIENT_IP] INFO: DPD: remote (ISAKMP-SA spi=58…:71...) seems to be dead.").

                  In the future I might add more IPSec tunnel and they might not all listen to interface/gateway "WAN_A".

                  jimp, suggested to:

                  • Use "LAN" as Interface for tunnel(s)

                  • Set any desired identifier: I used "Distinguished name" setting and typed a pseudo domain name: vpn1.mycompany.com

                  • Add NAT rules so that traffic incoming from WAN_A (and any other desired gateway) on ports ISAKMP (udp/500), ESP (ip/50) and NAT-T (udp/4500) goes to pfSense's LAN inteface IP: You have to manually type it there (can't select "LAN address")

                  • Apply rules and restart IPSec service

                  I can confirm this works just fine: the same tunnel can now be contacted from any gateway (use NAT or firewall rules to filter out).

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.