Ipsec v1 - no traffic



  • Hi,

    I can't send traffic over my IPsec connection with 2.2 (I tried every snapshot since 2 months)
    If I use the same setup with 2.1.5, I can send traffic immediately.

    The only difference I've found is the route with the current 2.2

    Setup:
    Complete fresh installation (without importing anything)
    IPsec v1 Mobile Client

    Mobile clients: Virtual address pool: 192.168.44.0/24 / Provide a list of accessible networks to clients

    PH1: v1 / Mutual PSK / Aggressive / AES256 / SHA1 / DH5 / DPD / NAT-T enabled
    PH2: Tunnel IPv4 / LAN subnet / ESP / AES256 / SHA1 / PFS5

    pfSense 2.2 / WAN Static IP / LAN: 10.20.30.251/24
    Shrew Soft Client / behind a pfSense 2.1 / LAN: 10.27.30.251/24

    I've already create rules to allow all protocol on wan,lan and ipsec interface…. (not necessary, I know)

    setkey -D

    93.129.14.20 62.128.115.85
            esp mode=tunnel spi=1133534127(0x43905baf) reqid=1(0x00000001)
            E: rijndael-cbc  234b1565 3c132fe5 4dbb2852 00226f69 2e2cc005 69afdee9 6a6dae7d b0ca2d2a
            A: hmac-sha1  a1ae239a 277baa0d 95b8376a b394072a a8c5e820
            seq=0x00000000 replay=32 flags=0x00000000 state=mature
            created: Oct 14 21:30:11 2014   current: Oct 14 21:30:34 2014
            diff: 23(s)     hard: 3600(s)   soft: 2592(s)
            last:                           hard: 0(s)      soft: 0(s)
            current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
            allocated: 0    hard: 0 soft: 0
            sadb_seq=2 pid=51565 refcnt=1
    62.128.115.85 93.129.14.20
            esp mode=any spi=3416878343(0xcba96d07) reqid=1(0x00000001)
            E: rijndael-cbc  ffd4f217 207506d5 fd1b885e b5a7da35 6f23db1c 79e94d42 58b2fb77 000385b5
            A: hmac-sha1  71f401ee bdaace50 ba876af8 faf14c78 ef2190a3
            seq=0x00000000 replay=32 flags=0x00000000 state=mature
            created: Oct 14 21:30:11 2014   current: Oct 14 21:30:34 2014
            diff: 23(s)     hard: 3600(s)   soft: 2653(s)
            last:                           hard: 0(s)      soft: 0(s)
            current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
            allocated: 0    hard: 0 soft: 0
            sadb_seq=1 pid=51565 refcnt=1
    62.128.115.85 93.129.14.20
            esp mode=any spi=3303778327(0xc4eba817) reqid=1(0x00000001)
            seq=0x00000000 replay=0 flags=0x00000000 state=larval
            sadb_seq=0 pid=51565 refcnt=1
    

    netstat -r

    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Netif Expire
    default            93-129-14-17.rev.i UGS       hn0
    10.20.30.0        link#6             U         hn1
    fw20               link#6             UHS       lo0
    93.129.14.16/29    link#5             U         hn0
    93-129-14-20.rev.i link#5             UHS       lo0
    localhost          link#3             UH        lo0
    192.168.44.1        93-129-14-17.rev.i UGHS      hn0
    

    ipsec.conf

    # This file is automatically generated. Do not edit
    config setup
            uniqueids = yes
            charondebug="ike 2"
    
    conn con1
            aggressive = yes
            fragmentation = yes
            keyexchange = ikev1
            reauth = yes
            rekey = yes
            reqid = 1
            installpolicy = yes
            type = tunnel
            dpdaction = clear
            dpddelay = 10s
            dpdtimeout = 60s
            auto = add
            left = 93.129.14.20
            right = %any
            leftid = 93.129.14.20
            ikelifetime = 28800s
            lifetime = 3600s
            rightsourceip = 192.168.44.0/24
            rightsubnet = 192.168.44.0/24
            leftsubnet = 10.20.30.0/24
            ike = aes256-sha1-modp1536!
            esp = aes256-sha1-modp1536!
            leftauth = psk
            rightauth = psk
    

    Any ideas?


  • Rebel Alliance Developer Netgate

    Try adding a P2 policy for 0.0.0.0/0 and see if Shrew will work then. Shrew can be quite picky about pulling its remote network policies sometimes.

    You might also try togging Shrew's option to 'tunnel all' to see if that helps.



  • That was fast.

    leftsubnet = 0.0.0.0/0
    

    Works!!!!! Thank you very much.

    But I still have no idea why my setup works in 2.1.5 but not in 2.2 :(


  • Rebel Alliance Developer Netgate

    The IPsec backend changed between 2.1.x and 2.2. On 2.1.x it's racoon, on 2.2 it's strongswan.

    The difference is in how racoon sends the network data to shrew compared to how strongswan sends it.


Log in to reply