IPSEC traffic not reaching roadwarrior clients
I've been attempting to configure client to site IPSEC VPN for an office. The IPSEC tunnel connects successfully, however, it appears that traffic from the LAN network is not reaching the client end of the tunnel. I'm seeing the same effect with ICMP and TCP traffic (not tried UDP). It appears as though packets are lost between pfsense IPSEC and egress via the pfsense WAN.
The basic topology is:
10.3.0.0/16 <-> pfSense WAN <-> pfSense LAN (10.64.0.0/16) <-> LAN systems (10.64.0.x)
When I use pfsense to capture ICMP or TCP traffic on IPSEC interface destined for 10.3.x.x I can see that the relevant packets are captured on the pfsense end of the tunnel, however, they never reach the client end of the tunnel. I'm fairly sure the ESP packets do not egress pfsense on the WAN interface. I tried this:
I have reverted the configuration as it appeared to have no effect.
My configuration is much as all of the guides suggest:
Phase1: Agressive, AES(128 bits), SHA1, Key group 2, NAT Traversal=Force, DPD uncheck
Phase2: tunnel, LAN subnet, Mobile Client,ESP,AES (128 bits), SHA1
I've tried Auto NAT traversal and DPD checked, these exhibit the same issue. I tried varying other fields, these mainly mess up the VPN connection itself.
10.64.0.0 * * * WAN address
10.3.0.0 * * * WAN address
IPSEC and LAN rules are fully open and when I check the filter logs, it appears nothing is being blocked. The WAN has blocks for private & bogon and port 443 is open while I debug this, these are the only WAN rules. I'm not seeing blocks on this interface that might explain the problem.
FWIW, 5 site to site tunnels are also configured. These all function as expected.
It feels like an issue routing packets that originate from the LAN to roadwarrior clients, however, that is just a theory. I'd be grateful for any suggestions of advice anyone can provide.
Just adding to this in case anyone has any ideas. I'm on Firmware 2.2.1.
I've confirmed I can capture the ICMP response on the pfsense tunnel interface (enc0). I've also confirmed that the encapsulated udp tunnel packets do not egress the wan interface (re1).
I also tried disabling my site to site tunnels, this had no effect.
Nothing is shown in the filter logs. I still cannot determine where the packets destined for roadwarrior clients go.
Does anyone know if I should be seeing any routes for 10.3.x.x or even the WAN that the packets originate from?
In the interests of making myself look silly and in case anyone experiences a similar issue:
I went back over my IPSEC site 2 site configurations and noticed a subnet conflict mean't response traffic would've been routed down the wrong tunnel. One site to site p2 entry had qn erroneous 10.1.1.0/14 subnet which conflicts with 10.3.1.0/24! This explains the absence of response packets at the roadwarrior clients.
- I hadn't posted enough details for anyone to be able to identify this issue. Post all IPSEC configuration, even components that are seemingly working.
- Check, re-check and then re-check all IPSEC configuration. I had previously discounted my site 2 site tunnels as potentially causing the issue.
- One change at a time, and make sure testing encompasses a client disconnect/connect before checking client traffic.
- Check the IPSEC SPD status tab once a roadwarrior client connects. It highlighted the issue for me and also enabled me to check SPIs on roadwarrior client traffic were as expected.