Routing / firewall / NAT issues with IPsec connections after upgrade to 2.2.5



  • Hello,

    I just upgraded a pfsense box from 2.1.3 to 2.2.5 and now the IPsec connections do not work properly anymore. More exactly I cannot reach several internal networks over IPsec. Establishing the VPN link is NOT the problem.

    Setup:

    Internal server –--- Router 1 ----- Router 2 (pfsense box) ----- SDSL ----- road warrior IPsec clients

    I use Shrewsoft VPN client and after establishing the VPN link I can only reach Router 1 and Router 2. I cannot reach internal servers.

    Packet capture on the pfsense box however shows that in all cases both ICMP request and echo packets are transmitted between Router 1 and Router 2. There seems to be a problem with reply packets that come from the internal network. I cannot find a reason for this behavior. Updating the pfsense box is all I did.
    Note: the pfsense box has 2 WAN interfaces (ADSL + SDSL). Using advanced firewall rules I configured it to use the ADSL line for outbound http and the SDSL line for everything else (like VPN). Maybe this is a reason for problems but it worked fine with IPsec and 2.1.3.

    How can I determine what happens to echo reply packets that should go back to the IPsec client?
    Any ideas welcome!



  • Update:
    After playing around for a couple of hours I managed to make it work. The solution was to add more phase 2 entries. One for each local network that I need to access via VPN, although the pfsense box is not directly connected to those networks.
    With pfsense 2.1.x it was sufficient to provide one entry for the network that contains the next internal router (Router 1 in my case).

    Hopefully someone can make use of my experiences :)



  • It was technically wrong to begin with, but racoon didn't care. It's noted in the upgrade guide.
    https://doc.pfsense.org/index.php/UpgradeGuide#Mobile_client_users.2C_verify_Local_Network


Log in to reply