Loss of connectivity to lan interaface on IPSEC configuration



  • I am running a IPSEC tunnel from one office to another office.  I realize that this might not be the best configuration but I got it to function the way I wanted it to on pfSense version 2.1.x so I left it alone(not sure which version i started on but it was working on 2.1.5).

    Main office is on a university campus, and we are sending traffic to it from our scanners in remote offices to receive the scans as PDFs in emails.  We tried a few outside companies but the emails would sometimes take a hour to arrive.  We never had the problem with the university mail server.

    To get it to work originally I setup a secondary pfSense box in one of the remote offices and a secondary pfSense box in the main office just to pass the data from the printers.

    I had it setup that any data hitting the remote office pfSense box would go to the main office and get NAT-ed to show as if it was local traffic on the university campus.  I had the remote offices main router pass only traffic that went to the mail server to the pfSense box.

    This has been functioning the way I wanted it to for months.

    I decided to upgrade it to pfSense 2.2-RELEASE.

    The main office pfsense box upgraded fine, non virtual system.

    The remote office box failed to upgrade so I had to do a clean reinstall of pfSense and manually do the configuration.  I got it installed(had some issues with Hyper-V but I got them figured out).  I got it fully configured.

    As soon as I created the IPSEC configuration and enabled IPSEC, I lost connectivity to the LAN port.  The pfSense box is still passing traffic like it should but there is no connectivity to the LAN port for local administration or ping.  It will also not ping out to the LAN.

    It is like the IPSEC tunnel has higher priority than the local network itself.  How can I regain its ability to talk with the LAN network again?




  • Ah yeah because in pfSense 2.1.5 there were automatic entries preventing LAN ip intiated traffic to be considered ipsec traffic.
    They are not present in 2.2 anymore and maybe need to bring back the advanced option to create them.



  • Hi jammcla,
    I have set up an ipsec tunnel with 0.0.0.0/0 on the both side for the encryption domain and I lost the administration on the lan interface.
    I use the 2.2 version.
    Have you find a solution about this problem or have you made a downgrade?



  • Hi all,

    i've the same issue since upgrading to 2.2.-release on an ALIX board.
    It seems that this problem occurs when IPsec phase 2 is activated.

    @ermal:
    do you have an idea to restore these settings you mentioned?



  • BUMP!

    I too have hit this issue - most annoying.



  • Same problem to me…..........



  • at the moment, to resolve this…........... no very nice, but confirm what I said....

    made a shell script xxx.sh, in /usr/local/etc/rc.d/

    "
    sleep 40
    ipsec stop
    sleep 5
    ipsec start
    "

    do not forget chmod 777 to the xxx.sh



  • Not really sure, but other thing to try…....

    CLIENTE IPSEC
    Phase 2 proposal (SA/Key Exchange) ONLY CHECK
    Encryption algorithms
    AES / Blowfish / 3DES / CAST128 / DES

    Hash algorithms ONLYE CHECK
    MD5 and SHA1

    have to try it some more days...........


Log in to reply