Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec v1 - no traffic

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    4 Posts 2 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hege
      last edited by

      Hi,

      I can't send traffic over my IPsec connection with 2.2 (I tried every snapshot since 2 months)
      If I use the same setup with 2.1.5, I can send traffic immediately.

      The only difference I've found is the route with the current 2.2

      Setup:
      Complete fresh installation (without importing anything)
      IPsec v1 Mobile Client

      Mobile clients: Virtual address pool: 192.168.44.0/24 / Provide a list of accessible networks to clients

      PH1: v1 / Mutual PSK / Aggressive / AES256 / SHA1 / DH5 / DPD / NAT-T enabled
      PH2: Tunnel IPv4 / LAN subnet / ESP / AES256 / SHA1 / PFS5

      pfSense 2.2 / WAN Static IP / LAN: 10.20.30.251/24
      Shrew Soft Client / behind a pfSense 2.1 / LAN: 10.27.30.251/24

      I've already create rules to allow all protocol on wan,lan and ipsec interface…. (not necessary, I know)

      setkey -D

      93.129.14.20 62.128.115.85
              esp mode=tunnel spi=1133534127(0x43905baf) reqid=1(0x00000001)
              E: rijndael-cbc  234b1565 3c132fe5 4dbb2852 00226f69 2e2cc005 69afdee9 6a6dae7d b0ca2d2a
              A: hmac-sha1  a1ae239a 277baa0d 95b8376a b394072a a8c5e820
              seq=0x00000000 replay=32 flags=0x00000000 state=mature
              created: Oct 14 21:30:11 2014   current: Oct 14 21:30:34 2014
              diff: 23(s)     hard: 3600(s)   soft: 2592(s)
              last:                           hard: 0(s)      soft: 0(s)
              current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
              allocated: 0    hard: 0 soft: 0
              sadb_seq=2 pid=51565 refcnt=1
      62.128.115.85 93.129.14.20
              esp mode=any spi=3416878343(0xcba96d07) reqid=1(0x00000001)
              E: rijndael-cbc  ffd4f217 207506d5 fd1b885e b5a7da35 6f23db1c 79e94d42 58b2fb77 000385b5
              A: hmac-sha1  71f401ee bdaace50 ba876af8 faf14c78 ef2190a3
              seq=0x00000000 replay=32 flags=0x00000000 state=mature
              created: Oct 14 21:30:11 2014   current: Oct 14 21:30:34 2014
              diff: 23(s)     hard: 3600(s)   soft: 2653(s)
              last:                           hard: 0(s)      soft: 0(s)
              current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
              allocated: 0    hard: 0 soft: 0
              sadb_seq=1 pid=51565 refcnt=1
      62.128.115.85 93.129.14.20
              esp mode=any spi=3303778327(0xc4eba817) reqid=1(0x00000001)
              seq=0x00000000 replay=0 flags=0x00000000 state=larval
              sadb_seq=0 pid=51565 refcnt=1
      

      netstat -r

      Routing tables
      
      Internet:
      Destination        Gateway            Flags    Netif Expire
      default            93-129-14-17.rev.i UGS       hn0
      10.20.30.0        link#6             U         hn1
      fw20               link#6             UHS       lo0
      93.129.14.16/29    link#5             U         hn0
      93-129-14-20.rev.i link#5             UHS       lo0
      localhost          link#3             UH        lo0
      192.168.44.1        93-129-14-17.rev.i UGHS      hn0
      

      ipsec.conf

      # This file is automatically generated. Do not edit
      config setup
              uniqueids = yes
              charondebug="ike 2"
      
      conn con1
              aggressive = yes
              fragmentation = yes
              keyexchange = ikev1
              reauth = yes
              rekey = yes
              reqid = 1
              installpolicy = yes
              type = tunnel
              dpdaction = clear
              dpddelay = 10s
              dpdtimeout = 60s
              auto = add
              left = 93.129.14.20
              right = %any
              leftid = 93.129.14.20
              ikelifetime = 28800s
              lifetime = 3600s
              rightsourceip = 192.168.44.0/24
              rightsubnet = 192.168.44.0/24
              leftsubnet = 10.20.30.0/24
              ike = aes256-sha1-modp1536!
              esp = aes256-sha1-modp1536!
              leftauth = psk
              rightauth = psk
      

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Try adding a P2 policy for 0.0.0.0/0 and see if Shrew will work then. Shrew can be quite picky about pulling its remote network policies sometimes.

        You might also try togging Shrew's option to 'tunnel all' to see if that helps.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • H
          hege
          last edited by

          That was fast.

          leftsubnet = 0.0.0.0/0
          

          Works!!!!! Thank you very much.

          But I still have no idea why my setup works in 2.1.5 but not in 2.2 :(

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            The IPsec backend changed between 2.1.x and 2.2. On 2.1.x it's racoon, on 2.2 it's strongswan.

            The difference is in how racoon sends the network data to shrew compared to how strongswan sends it.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.