IPSec to LAN Clients (Can ping but cant pass TCP/UDP)



  • Guys need a bit of help. I am running out of options….

    So I have everything working as far as IPSec goes. I setup IPSec mobile setup phase 1 and phase 2. I can ping my pfsense box and even ping the clients behind the box.

    The problem I am having is I cannot connect to services (TCP for example). Like I am trying to SSH into a machine behind pfense box, and it just hangs. When I checked firewall logs it is trying to make a connection but nothing happens. I can ping the same machine just fine. It seems like I can go in but coming out it has issues. Same issue if I try to remote desktop I cannot but I can ping the same machine. It was working fine when I had just Zentyal with OpenVPN now I am having issues. I cant figure out exactly where the issue is I did packet dump, and here are the results.

    13:41:33.474849 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 8, length 40
    13:41:33.475051 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 8, length 40
    13:41:34.474359 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 9, length 40
    13:41:34.474507 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 9, length 40
    13:41:35.469771 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 10, length 40
    13:41:35.469946 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 10, length 40
    13:41:36.473019 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 11, length 40
    13:41:36.473179 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 11, length 40
    13:41:47.107597 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 0
    13:41:47.107839 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 0
    13:41:47.139842 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 0
    13:41:47.139862 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 28
    13:41:47.139995 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 0
    13:41:47.143799 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
    13:41:47.374776 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
    13:41:47.838718 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
    13:41:48.766761 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
    13:41:50.622791 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
    13:41:54.389321 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
    13:42:00.454381 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 0
    13:42:00.455385 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 840

    Update

    One thing I noticed SSH client just sits there without timing out. It seems like I can make inbound but when it tries to do return it is not working.

    Like I tried to ping my IPsec given IP and it does not work, so I am thinking I can make one way connection it is not coming back or something.

    It is so weird because the logs are not showing much and it is pretty annoying.



  • I had a very similar problem last time. I could ping, but almost no other services work through the tunnel.

    I assume you has the right firewall settings in place?

    Especially when NAT-T is used for your IPSec connection, you surely can get into trouble with MTU. Do you use NAT-T?
    Go to IPSec -> Advanced Settings and set the Maximum MSS to 1350.
    This fixed the problem for me.

    Give it a try.


Log in to reply