2.3 to 2.2.6 IPSEC



  • Hi all!

    I have tried to configure ipsec between mentioned pfsenses and it is not working.
    Maybe I have some sort of config error I don`t know.

    Connection is established, firewall rules on ipsec tab are added (allow any to any) but I can`t ping host in site B from site A.
    Do I have to configure something else?

    Funny is, that traceroute actually works nothing else does.

    Any idea?

    Thanks!



  • If I do packet capture on one of the pfsenses I get this (see image).




  • So it's getting there. Is it leaving LAN/whatever the internal interface is?



  • To tell you the truth, I don`t even know where to begin troubleshooting it.
    Doest it work for you? (2.3 to 2.2.6)



  • Yes, it does. I'm guessing it's leaving LAN in your case, and the destination host isn't replying for one of the usual reasons (host firewall, wrong gateway or other host network config issue, etc.).



  • Hmmm ok…
    Firewall has any any allow all on both sides.
    Wrong gateway, what u mean by that?
    Tunnel is up so it should be working, at least same config confirmed does work between 2 2.6 machines...



  • The tunnel is clearly working, that's why I'm pointing to the destination host as the likely cause of the problem. Its default gateway pointing to something wrong, or a firewall on that host, etc.



  • I`ve rebuild pfsense to 2.3 on both sides and now it works.

    But new problem is here.
    When IPsec up I can`t go to webinterface after I clicked refresh on ipsec status page once or twice.

    I always get:
    504 Gateway Time-out
    nginx

    If I:
    restart webconfigurator from ssh shell no go.
    Restart PHP-FPM then I can connect to web gui again.



  • There is an underlying issue with the low-level command that gets the IPsec status. It sometimes hangs and thus the web-interface waits "forever" for the output to come and eventually nginx web server times out.
    https://redmine.pfsense.org/issues/5520



  • Thanks just seen it.
    I use ikev2 and same thing happens.
    I saw that on strongswan this is marked as resolved?



  • I`m really sorry to nag, but there is something wrong with ipsec.
    I came home, disabled ipsec, re-enabled it and again tunnel is up but no traffic.

    I really dont get it any more… It was working and I didnt change ANY setting at all. Disabled and reconnected and no more joy.



  • OK more details:

    It only works when IKE is set to V1 and mode to aggressive.

    So:
    IKEv1 + aggressive (MUTUAL PSK) = OK
    IKEv1 + aggressive (MUTUAL RSA) = OK

    IKEv1 + main = NOT WORKING (both RSA and PSK)

    IKEv2 = not working

    Setup between 2.3 and 2.2.6



  • @maverick_slo:

    IKEv1 + main = NOT WORKING (both RSA and PSK)

    IKEv2 = not working

    Setup between 2.3 and 2.2.6

    That's not true in general. We've been running production VPNs matching the described circumstance for months with no issues.

    What specifically do you have configured that doesn't work?



  • Huh really simple.
    Ipsec between 2 locations only one left and right local subnet.
    When in aggressive mode everything works, traffic flows…
    As soon as I change both to main or ikev2 and restart tunnel shows as online but no traffic coming trough. So I can rule out firewall rules and host config regarding gateways etc...
    I really don't know what I'm doibg wrong here or maybe there's an issue between 2.2.6 and 2.3.
    Again SAME config between two 2.2.6 pfsenses works like a charm...



  • what identifiers are you using on the P1?



  • My IP address.



  • Hi cmb!

    I managed to config IKEv2 between 2.2.6 and 2.3.

    There are some gui issues I think on ipsec config page, see here: https://forum.pfsense.org/index.php?topic=105776.0

    I did config manually via .conf files and it works like a charm now.
    Also upgrade from 2.2.6 to 2.3 correctly retains configs and it works. Problem was on new 2.3 install and new ipsec tunnel config creation.

    BR,
    Greg


Log in to reply