Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Traffic Issue/Question

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dsvj1977
      last edited by

      Hi everyone!

      I have created an IPSec tunnel, and according to the logs, all goes smoothing.  I get a log entry in racoon as follows:

      INFO: IPsec-SA established: ESP xxx.xxx.xxx.xxx[500]->yyy.yyy.yyy.yyy[500] spi=2387206220(0x8e49e04c)

      The other end of the tunnel shows it as being up, but in the Status > IPSec screen, it shows a yellow "X" with an error.

      I am using my LAN subnet with a NAT address in Local Network.  I am unable to ping the "Remote Network" IP address, and at one point, the firewall logs showed traffic being blocked with a source of the Remote Network IP address, and a Destination of my NAT address.  I added a rule allowing this traffic, but the other end that was pinging the NAT address was still unable to get through.

      The rule has since been disabled, but the firewall logs are not showing the blocked traffic anyone.  Also, there is no traffic on interface "enc0" at all.

      What am I missing?  I don't believe I need to define a static route for the IPSec tunnel to be NATted through.

      Thanks,
      Daryl

      1 Reply Last reply Reply Quote 0
      • D
        dsvj1977
        last edited by

        Further information! :)

        racoon is giving me the following:

        racoon: WARNING: no outbound policy found: 172.25.50.243/32[0] 10.140.10.8/32[0] proto=any dir=out

        In my Phase2, I have my Local Network as "LAN Subnet", and the NAT/BINAT as "Address" - 172.20.60.243.

        On the other end of the tunnel, the machine is continuously pinging 172.25.50.243.  In the firewall logs, I can see exactly one entry for the ping (I created the firewall rule to allow it, and turned on logging for that rule).  Then nothing else.  Nothing is blocked, nothing gets through.

        In the Status: IPsec: SAD screen, I see 2 entries for the tunnel, and the Data column for data coming from the other end is gradually increasing.  The Data from my end is always at 0.

        It seems that racoon is not creating the outbound policy.  Do I require a specific firewall rule?  I have already created a rule to allow any traffic in the IPsec tab, for troubleshooting purposes.

        Thanks,
        Daryl

        1 Reply Last reply Reply Quote 0
        • B
          bshack
          last edited by

          With much trepidation and carelessly reckless abandon I will see if using the filer package will work.  Not sure if it will overwrite the conf file or not, but hey, nothing ventured and all that jazz.  I am leaning much more towards just telling the support staff that they will just have to get OpenVPN installed on all the client systems and to deal with the time it will take to do this.  That seems like it will be a much better option in the end.

          1 Reply Last reply Reply Quote 0
          • D
            dsvj1977
            last edited by

            After working closely with the other end, we were able to get a tunnel going by not using NAT.  Once we removed that, and change their configuration accordingly, the tunnel came up.

            The only problem now, is that only their end can bring the tunnel.  Whenever my end tries to initiate the tunnel, it gives Phase2 errors.  The wonderful "NO PROPOSAL CHOSEN" error ID.

            Would anyone know what I'm doing wrong in this situation?  I have confirmed on their end that the tunnel is configured as Bidirectional, and should be able to be brought up from either end.

            Not sure if it matters, but I am connecting this tunnel to a Cisco ASA.

            Thanks,
            Daryl

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.