IPsec tunnel problem with 2.1.5 and 2.2rc
-
# This file is automatically generated. Do not edit config setup uniqueids = yes charondebug="dmn 0,mgr 1,ike 2,chd 2,cfg 1,net 1,imv 0,esp 1" conn con1000 reqid = 1 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 40s auto = route left = 93.104.178.7 right = 6.1.47.71 leftid = @net.dyn.org ikelifetime = 7200s lifetime = 28800s ike = aes128-sha1-modp1024! esp = aes256-sha1-modp1024,aes256-sha1-modp1024! leftauth = psk rightauth = psk rightid = 6.1.47.71 aggressive = no rightsubnet = 10.0.47.0/24 leftsubnet = 192.168.24.0/24 conn con1001 reqid = 2 fragmentation = yes keyexchange = ikev1 reauth = yes forceencaps = no rekey = yes installpolicy = yes type = tunnel dpdaction = restart dpddelay = 10s dpdtimeout = 40s auto = route left = 9.1.178.7 right = 6.1.47.71 leftid = @net.dyn.org ikelifetime = 7200s lifetime = 28800s ike = aes128-sha1-modp1024! esp = aes256-sha1-modp1024,aes256-sha1-modp1024! leftauth = psk rightauth = psk rightid = 6.1.47.71 aggressive = no rightsubnet = 10.0.48.0/24 leftsubnet = 192.168.24.0/24 -
This happens even when you are initiator?
I belive your other side is coming on your other interface while you expect it on WAN?
-
I think this end is initiator and responder, b/c the other side opens the tunnels as well.
BTW I already did a packettrace on the "other" interface to see if there's traffic (UDP&port 500) coming or going.
Nothing !
But I can check the other Pfs 2.1.5 tomorrow.
I deliberately change the tunnel to this other IF and check the the dyn address points to the correct IP and IF. -
Update:
Just check the 2.1.5 side and no packets go to the wrong Public IF of the 2.2. -
Updated and still same tunnnel problems ?
2.2-RC (amd64)
built on Fri Jan 16 11:53:08 CST 2015@Ermal: Do you think my NAT & Firewall Rules are ok on the WAN IF ?
-
What NAT again? You've already been told you cannot NAT IPsec.
-
::)
Outbound NAT:
Automatic Rules.And pls let me know where I was told to "not NAT IPsec" ?
-
And BTW a just captured packets on my WAN and could see ISAKMP (Main Mode) going forth and back between both pfsenses.
-
And pls let me know where I was told to "not NAT IPsec" ?
https://forum.pfsense.org/index.php?topic=86590.msg475029#msg475029
-
@doktornotor: Checking my reply, I said I remove "any NAT rules" meaning the ones I manually created !
But as known, the "Automatic Outbound NAT rules" persist due the mode !
So I'm pretty sure that if config is correctly interpreted by pfSense no manual rule should interfere.But my Question was if any of the other inbound rules could interfere with VPN ?
Do you have an answer for this ? -
The automatic outbound NAT rules won't hurt anything with IPsec.
For inbound, if you have a port forward on UDP 500 or ESP traffic, that'll break it also. If you have a 1:1 NAT using the public IP where it terminates, that'll forward the traffic to an internal host and break things as well.
-
Hmm, thanks, but I can't find any inbound NATs with 500.
Maybe we should look at it using our old support contract ? -
Maybe we should look at it using our old support contract ?
Commercial support is definitely the best answer. Your support expired over 5 years ago though, if you purchase to activate support on your account again, we can definitely assist.
-
I'll pm you on this, ok ?