Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec SRX <> PFsense - Tunnel UP no traffic

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bibawa
      last edited by

      Dear,

      I need to create a IPSec tunnel between a PFSense box and an Juniper SRX240, the network is straight forward:

      SRX Side: 192.168.100.0/24
      PFSense Side: 172.20.12.0/24

      on both sides I created the phase1/phase2 parameters and on both sides I can confirm that the tunnel is up, but for some reason I cannot ping over the tunnel.
      On the debug side of PFsense I see this in logging

      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447910: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447610: 172.20.12.254/32[0] 172.20.12.0/24[0] proto=any dir=out
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 172.20.12.0/24[0] 172.20.12.254/32[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 172.20.12.0/24[0] 192.168.100.0/24[0] proto=any dir=out
      Mar 19 11:03:41 racoon: DEBUG: got pfkey X_SPDDELETE message
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447610: 172.20.12.254/32[0] 172.20.12.0/24[0] proto=any dir=out
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 172.20.12.0/24[0] 172.20.12.254/32[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe570: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: DEBUG: got pfkey X_SPDDELETE message
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: DELETE message is not interesting because the message was originated by me.
      Mar 19 11:03:41 racoon: DEBUG: got pfkey DELETE message
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: purged SAs.
      Mar 19 11:03:41 racoon: INFO: purged IPsec-SA proto_id=ESP spi=3822179484.
      Mar 19 11:03:41 racoon: DEBUG: IV freed
      Mar 19 11:03:41 racoon: DEBUG: pfkey spddelete(outbound) sent.
      Mar 19 11:03:41 racoon: DEBUG: call pfkey_send_spddelete
      Mar 19 11:03:41 racoon: DEBUG: pfkey spddelete(inbound) sent.
      Mar 19 11:03:41 racoon: DEBUG: call pfkey_send_spddelete
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447190: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe1c0: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447610: 172.20.12.254/32[0] 172.20.12.0/24[0] proto=any dir=out
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe1c0: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: db :0x801447490: 172.20.12.0/24[0] 172.20.12.254/32[0] proto=any dir=in
      Mar 19 11:03:41 racoon: [Unknown Gateway/Dynamic]: DEBUG: sub:0x7fffffffe1c0: 192.168.100.0/24[0] 172.20.12.0/24[0] proto=any dir=in
      Mar 19 11:03:41 racoon: DEBUG: get dst address from ID payload 172.20.12.0[0] prefixlen=24 ul_proto=255
      Mar 19 11:03:41 racoon: DEBUG: get a src address from ID payload 192.168.100.0[0] prefixlen=24 ul_proto=255
      Mar 19 11:03:41 racoon: INFO: deleting a generated policy.
      Mar 19 11:03:41 racoon: DEBUG: check spi(packet)=3822179484 spi(db)=3822179484.
      Mar 19 11:03:41 racoon: DEBUG: check spi(packet)=3822179484 spi(db)=3797485732.
      Mar 19 11:03:41 racoon: DEBUG: check spi(packet)=3822179484 spi(db)=1085545145.
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()
      Mar 19 11:03:41 racoon: DEBUG: pk_recv: retry[0] recv()

      Does anybody now what this means and how I can solve this ?

      1 Reply Last reply Reply Quote 0
      • A
        anomaly0617
        last edited by

        @bibawa:

        Dear,

        I need to create a IPSec tunnel between a PFSense box and an Juniper SRX240, the network is straight forward:

        SRX Side: 192.168.100.0/24
        PFSense Side: 172.20.12.0/24

        on both sides I created the phase1/phase2 parameters and on both sides I can confirm that the tunnel is up, but for some reason I cannot ping over the tunnel.
        On the debug side of PFsense I see this in…

        Does anybody now what this means and how I can solve this ?

        By chance, have you gone to Firewall - Rules - IPSec and created a rule allowing all traffic from the remote network to the local network? If not, that would cause ICMP traffic to not go through.

        Hope this Helps!

        1 Reply Last reply Reply Quote 0
        • B
          bibawa
          last edited by

          yes,
          there I created a any-any-any rule so it's not blocked by firewall (normally)

          When I start debug on te SRX side I see that traffic is going into the tunnel, but not coming out on other side :-)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.