IPSec SRX <> PFsense - Tunnel UP no traffic

bibawa

Dear,

I need to create a IPSec tunnel between a PFSense box and an Juniper SRX240, the network is straight forward:

SRX Side: 192.168.100.0/24
PFSense Side: 172.20.12.0/24

on both sides I created the phase1/phase2 parameters and on both sides I can confirm that the tunnel is up, but for some reason I cannot ping over the tunnel.
On the debug side of PFsense I see this in logging

Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447910: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447610: 172.20.12.254/32[0] 172.20.12.0/24[0] proto=any dir=out
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 172.20.12.0/24[0] 172.20.12.254/32[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
Mar 19 11:03:41 racoon: DEBUG: got pfkey X_SPDDELETE message
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447610: 172.20.12.254/32[0] 172.20.12.0/24[0] proto=any dir=out
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 172.20.12.0/24[0] 172.20.12.254/32[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: DEBUG: got pfkey X_SPDDELETE message
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: DELETE message is not interesting because the message was originated by me.
Mar 19 11:03:41 racoon: DEBUG: got pfkey DELETE message
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: purged SAs.
Mar 19 11:03:41 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3822179484.
Mar 19 11:03:41 racoon: DEBUG: IV freed
Mar 19 11:03:41 racoon: DEBUG: pfkey spddelete(outbound) sent.
Mar 19 11:03:41 racoon: DEBUG: call pfkey_send_spddelete
Mar 19 11:03:41 racoon: DEBUG: pfkey spddelete(inbound) sent.
Mar 19 11:03:41 racoon: DEBUG: call pfkey_send_spddelete
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe1c0: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447610: 172.20.12.254/32[0] 172.20.12.0/24[0] proto=any dir=out
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe1c0: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 172.20.12.0/24[0] 172.20.12.254/32[0] proto=any dir=in
Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe1c0: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
Mar 19 11:03:41 racoon: DEBUG: get dst address from ID payload 172.20.12.0[0] prefixlen=24 ul_proto=255
Mar 19 11:03:41 racoon: DEBUG: get a src address from ID payload 192.168.100.0[0] prefixlen=24 ul_proto=255
Mar 19 11:03:41 racoon: INFO: deleting a generated policy.
Mar 19 11:03:41 racoon: DEBUG: check spi(packet)=3822179484 spi(db)=3822179484.
Mar 19 11:03:41 racoon: DEBUG: check spi(packet)=3822179484 spi(db)=3797485732.
Mar 19 11:03:41 racoon: DEBUG: check spi(packet)=3822179484 spi(db)=1085545145.
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()

Does anybody now what this means and how I can solve this ?

anomaly0617

@bibawa:

Dear,

I need to create a IPSec tunnel between a PFSense box and an Juniper SRX240, the network is straight forward:

SRX Side: 192.168.100.0/24
PFSense Side: 172.20.12.0/24

on both sides I created the phase1/phase2 parameters and on both sides I can confirm that the tunnel is up, but for some reason I cannot ping over the tunnel.
On the debug side of PFsense I see this in…

Does anybody now what this means and how I can solve this ?

By chance, have you gone to Firewall - Rules - IPSec and created a rule allowing all traffic from the remote network to the local network? If not, that would cause ICMP traffic to not go through.

bibawa

yes,
there I created a any-any-any rule so it's not blocked by firewall (normally)

When I start debug on te SRX side I see that traffic is going into the tunnel, but not coming out on other side :-)