IPsec Phase 2 kills secondary LAN Link

swalz

I have added a secondary LAN link on my PFsense for an additional Network.
I have an IPsec tunnel to a sonicwall and all traffic is routed through the IPsec tunnel From LAN1
I then added a secondary Phase2 to route all traffic from the LAN2 connection through the same tunnel. The tunnel shows as connected on both ends.

The problem I am facing now is below:
I can ping the LAN2 interface from my clients if the Phase 2 for the second LAN interface is disabled. (no WAN access is possible as all traffic needs to go through the IPsec tunnel)
As soon as I enable the Phase2 for the second LAN interface it comes up as connected on both ends but all traffic stops. I cannot even ping my LAN interface on the PFsense any more.
Theoretically it should now route all traffic through the IPsec tunnel out to the net. But it doesn't, and as mention I cannot even ping my LAN interface any more.
I am at a complete loss?
Any help appreciated.

Thanks
Sebastian

doktornotor

Clear as mud. Post some network diagram.

swalz

It basically is exactly like the attached Picture 1
I had 1 LAN and 1 WAN connection. All traffic is routed through the IPSEC Tunnel to a secondary Firewall and from there out to the WAN.

But when added the second LAN connection and setup a secondary subnet to be routed through the IPsec tunnel the second LAN just does not route.
So I basically added a PHASE2 under IPsec configuration with the second LAN subnet (see Picture 2)

Picture1.JPG_thumb

Picture2.JPG_thumb

doktornotor

I still cannot see any secondary subnet anywhere on the diagram.

swalz

Sorry,
Please see second subnet added to the picture

Picture1.JPG_thumb

drumscum

@swalz:

It basically is exactly like the attached Picture 1
I had 1 LAN and 1 WAN connection. All traffic is routed through the IPSEC Tunnel to a secondary Firewall and from there out to the WAN.

But when added the second LAN connection and setup a secondary subnet to be routed through the IPsec tunnel the second LAN just does not route.
So I basically added a PHASE2 under IPsec configuration with the second LAN subnet (see Picture 2)

Interesting, this sounds exactly like a problem I'm facing with my pfSense box. Can you please confirm that your setup works for your first LAN, i.e. that all traffic indeed is routed through the IPsec tunnel from 'branch office' to 'main office'? Also what version of pfSense are you running (I'm on 2.2. myself).

I just have a single subnet I'm trying to fully route via an IPsec tunnel to a remote office, but it's not on the first interface, and it has the exact same problem as you are seeing (LAN interface 'disappears').

What I did notice is that, when the IPsec tunnel is up and I ping an internet host (e.g. 8.8.8.8), traffic flows from the local interface through the IPsec interface to the remote office, so the tunnel works.

I will try to setup the tunnel again on my first LAN interface, and see if it works like that.

doktornotor

Is that a real diagram? (Kinda doubt so considering you copied it from the wiki). Use 192.168.10.0/23 as remote network with a single P2.

swalz

The setup works perfect for my first LAN interface. I had this working for a year now and never had a problem.
The issue only appears on the secondary LAN interface when trying to route traffic through the IPSec tunnel from the secondary interface.
I am on version 2.1.5

When I add the second Interface subnet to the IPsec tunnel I cannot ping the second LAN interface any more. But the first LAN subnet is still routing as expected.
I cannot ping the internet through the second LAN either, it appears that all routing just stops for the second LAN subnet.

@doktornotor, yes it is a diagram from a wiki page, not sure what difference that makes as it explains my exact setup?

The IP subnets are just an example.
My exact Ip subnets are: 192.168.12.0/22 and 10.11.15.0/24
Combining the 2 would have worked if they were close subnets, unfortunately they are not :-(

Any other suggestions? I tried to check log files for any misconfiguration firewall rules as well, but could not find anything.
The Firewall rules are allowing all and any traffic outbound anyways.

Thanks

doktornotor

@swalz:

@doktornotor, yes it is a diagram from a wiki page, not sure what difference that makes as it explains my exact setup?

The IP subnets are just an example.
My exact Ip subnets are: 192.168.12.0/22 and 10.11.15.0/24
Combining the 2 would have worked if they were close subnets, unfortunately they are not :-(

Yeah… and you still ask what difference it makes? Sigh. I wanted a real network diagram, not misleading examples. Never mind, maybe someone else, really don't have any more time to spend on this. Over an hour wasted trying to get relevant information. >:(

lifeboy

It looks like you're overcomplicating things: Why do you have a different subnet for the machines on the same lan? If you need that for some reason, then please post your exact configuration (if they're private ip addresses you can post them, just change your public addresses) and rules you've set.

swalz

Sorry Newby mistake. My apology
The reason why I need 2 Lan subnets is because I will need to put a captive portal on one subnet soon and the other one will stay open.
Here is my configuration, I hope this makes things a little clearer:
LAN1 (Camp): 192.168.12.0/22 interface: 192.168.12.1
LAN2 (Contractor): 10.11.15.0 /24 interface: 10.11.15.1
WAN: 192.168.11.253 (this is a private address as well because from here on we have a private MPLS routing things to another country by a service provider). You can just see this as a WAN address.
Remote WAN address: 192.168 20.253 (again all routing from 192.168.11.253 to 192.168.20.253 is done by a service provider.

Goal:
IPsec tunnel from PFSense WAN 192.168.11.253 to Sonicwall Firewall WAN 192.168.20.253 which works perfect.
Routing for all LAN1 traffic 192.168.12.0/22 through IPsec tunnel to Sonicwall and out of the Sonicwall to the internet which works perfect.
Routing for all LAN2 traffic 10.11.15.0/24 through IPsec tunnel to Sonicwall and out of the Sonicwall to the internet, which does not work.
PFsense and Sonicwall report that the tunnel and routing are up: Picture1
The Network settings in Phase 2 are exactly the same for both Networks LAN1 and LAN2
See Picture 2 and 3
No routing has been manually added as in the Phase2 settings the remote network is specified as 0.0.0.0/0 which routs all traffic for the specified subnet out through the VPN tunnel.
The firewall rules for both LAN1, 2 and IPsec are set to allow any port any subnet to any which allows all traffic.

I have tried to delete the phase2 routing for LAN1 and only have LAN2 specified in Phase2 of the IPsec settings but I still cannot get this to route.
If no phase 2 is setup for LAN2 I can ping the LAN2 interface from my clients. If Phase2 is setup to route traffic for LAN2 through the IPsec tunnel I cannot even ping the LAN2 interface any more.

Below is a drawing of the network diagram.

![Network Diagram.jpg](/public/imported_attachments/1/Network Diagram.jpg)
![Network Diagram.jpg_thumb](/public/imported_attachments/1/Network Diagram.jpg_thumb)

Picture1.JPG_thumb

Picture2.JPG_thumb

Picture3.JPG_thumb

swalz

Is anyone able to shed some light on this?
I believe it is a bug in IPSEC

swalz

So after ripping my hair out and troubleshooting all day I discovered parts of it is a DNS issue.
If you point DNS to the Optional Interface it does not work?
If you specify an external DNS server like 8.8.8.8 the tunnel actually routes the secondary subnet.
Which still does not explain why I cannot ping the OPT1 Interface any more when the IPSec tunnel is enabled but at least the tunnel works.
Now I have to figure out why the OPT1 interface does not listen to DNS requests?

eri--

It will be fixed soon, you cannot reach your interface probably because your phase2 subnet is the same as your interface subnet.

There used to be an advanced setting which prevented traffic to the interface ip going to ipsec and it will be restored again.

swalz

Yes the phase 2 subnet is the same than the interface subnet.
It works for my Primary LAN interface which is all routed through an IPSec tunnel as well, just not for the Secondary LAN interface.

So you suggest just to use an external DNS server for now.
I guess this will prevent my machines in the Secondary LAN from finding each other by name?

This behaviour is exactly the same in 2.1 and in 2.2 as well.

Thanks

eri--

If you want can add manually policies to bypass lan address.

You will need to learn about setkey in FreeBSD how to add those.

swalz

Ok so I do understand the basics of setkey after I have been reading up on this all day.
But I can't seem to add any entries.
It doesn't matter what I type into the command line the only response I get is:
setkey: No match.

I am trying to setup the captive portal on the OPT1 interface, but because the interface is not reachable because I have an IPSec tunnel from the interface the captive portal does not work.

My interface is IP: 10.11.15.1/24

Could someone please help me out with the command for setkey?

Thanks