Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec to LAN Clients (Can ping but cant pass TCP/UDP)

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 951 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fta354
      last edited by

      Guys need a bit of help. I am running out of options….

      So I have everything working as far as IPSec goes. I setup IPSec mobile setup phase 1 and phase 2. I can ping my pfsense box and even ping the clients behind the box.

      The problem I am having is I cannot connect to services (TCP for example). Like I am trying to SSH into a machine behind pfense box, and it just hangs. When I checked firewall logs it is trying to make a connection but nothing happens. I can ping the same machine just fine. It seems like I can go in but coming out it has issues. Same issue if I try to remote desktop I cannot but I can ping the same machine. It was working fine when I had just Zentyal with OpenVPN now I am having issues. I cant figure out exactly where the issue is I did packet dump, and here are the results.

      13:41:33.474849 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 8, length 40
      13:41:33.475051 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 8, length 40
      13:41:34.474359 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 9, length 40
      13:41:34.474507 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 9, length 40
      13:41:35.469771 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 10, length 40
      13:41:35.469946 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 10, length 40
      13:41:36.473019 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129 > 10.10.10.101: ICMP echo request, id 1, seq 11, length 40
      13:41:36.473179 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101 > 10.10.20.129: ICMP echo reply, id 1, seq 11, length 40
      13:41:47.107597 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 0
      13:41:47.107839 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 0
      13:41:47.139842 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 0
      13:41:47.139862 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 28
      13:41:47.139995 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 0
      13:41:47.143799 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
      13:41:47.374776 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
      13:41:47.838718 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
      13:41:48.766761 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
      13:41:50.622791 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
      13:41:54.389321 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 21
      13:42:00.454381 (authentic,confidential): SPI 0xcf139e13: IP 10.10.20.129.50512 > 10.10.10.101.22: tcp 0
      13:42:00.455385 (authentic,confidential): SPI 0xd41e6cf3: IP 10.10.10.101.22 > 10.10.20.129.50512: tcp 840

      Update

      One thing I noticed SSH client just sits there without timing out. It seems like I can make inbound but when it tries to do return it is not working.

      Like I tried to ping my IPsec given IP and it does not work, so I am thinking I can make one way connection it is not coming back or something.

      It is so weird because the logs are not showing much and it is pretty annoying.

      1 Reply Last reply Reply Quote 0
      • P
        papa_joe
        last edited by

        I had a very similar problem last time. I could ping, but almost no other services work through the tunnel.

        I assume you has the right firewall settings in place?

        Especially when NAT-T is used for your IPSec connection, you surely can get into trouble with MTU. Do you use NAT-T?
        Go to IPSec -> Advanced Settings and set the Maximum MSS to 1350.
        This fixed the problem for me.

        Give it a try.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.