Loss of connectivity to lan interaface on IPSEC configuration

jammcla

I am running a IPSEC tunnel from one office to another office. I realize that this might not be the best configuration but I got it to function the way I wanted it to on pfSense version 2.1.x so I left it alone(not sure which version i started on but it was working on 2.1.5).

Main office is on a university campus, and we are sending traffic to it from our scanners in remote offices to receive the scans as PDFs in emails. We tried a few outside companies but the emails would sometimes take a hour to arrive. We never had the problem with the university mail server.

To get it to work originally I setup a secondary pfSense box in one of the remote offices and a secondary pfSense box in the main office just to pass the data from the printers.

I had it setup that any data hitting the remote office pfSense box would go to the main office and get NAT-ed to show as if it was local traffic on the university campus. I had the remote offices main router pass only traffic that went to the mail server to the pfSense box.

This has been functioning the way I wanted it to for months.

I decided to upgrade it to pfSense 2.2-RELEASE.

The main office pfsense box upgraded fine, non virtual system.

The remote office box failed to upgrade so I had to do a clean reinstall of pfSense and manually do the configuration. I got it installed(had some issues with Hyper-V but I got them figured out). I got it fully configured.

As soon as I created the IPSEC configuration and enabled IPSEC, I lost connectivity to the LAN port. The pfSense box is still passing traffic like it should but there is no connectivity to the LAN port for local administration or ping. It will also not ping out to the LAN.

It is like the IPSEC tunnel has higher priority than the local network itself. How can I regain its ability to talk with the LAN network again?

Remote_Office.jpg_thumb

eri--

Ah yeah because in pfSense 2.1.5 there were automatic entries preventing LAN ip intiated traffic to be considered ipsec traffic.
They are not present in 2.2 anymore and maybe need to bring back the advanced option to create them.

herger21

Hi jammcla,
I have set up an ipsec tunnel with 0.0.0.0/0 on the both side for the encryption domain and I lost the administration on the lan interface.
I use the 2.2 version.
Have you find a solution about this problem or have you made a downgrade?

ArthurGordon

Hi all,

i've the same issue since upgrading to 2.2.-release on an ALIX board.
It seems that this problem occurs when IPsec phase 2 is activated.

@ermal:
do you have an idea to restore these settings you mentioned?

jonallport

BUMP!

I too have hit this issue - most annoying.

cabenico

Same problem to me…..........

cabenico

at the moment, to resolve this…........... no very nice, but confirm what I said....

made a shell script xxx.sh, in /usr/local/etc/rc.d/

"
sleep 40
ipsec stop
sleep 5
ipsec start
"

do not forget chmod 777 to the xxx.sh

cabenico

Not really sure, but other thing to try…....

CLIENTE IPSEC
Phase 2 proposal (SA/Key Exchange) ONLY CHECK
Encryption algorithms
AES / Blowfish / 3DES / CAST128 / DES

Hash algorithms ONLYE CHECK
MD5 and SHA1

have to try it some more days...........