Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    2.3 to 2.2.6 IPSEC

    2.3-RC Snapshot Feedback and Issues - ARCHIVED
    3
    17
    3177
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      maverick_slo last edited by

      Hi all!

      I have tried to configure ipsec between mentioned pfsenses and it is not working.
      Maybe I have some sort of config error I don`t know.

      Connection is established, firewall rules on ipsec tab are added (allow any to any) but I can`t ping host in site B from site A.
      Do I have to configure something else?

      Funny is, that traceroute actually works nothing else does.

      Any idea?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • M
        maverick_slo last edited by

        If I do packet capture on one of the pfsenses I get this (see image).


        1 Reply Last reply Reply Quote 0
        • C
          cmb last edited by

          So it's getting there. Is it leaving LAN/whatever the internal interface is?

          1 Reply Last reply Reply Quote 0
          • M
            maverick_slo last edited by

            To tell you the truth, I don`t even know where to begin troubleshooting it.
            Doest it work for you? (2.3 to 2.2.6)

            1 Reply Last reply Reply Quote 0
            • C
              cmb last edited by

              Yes, it does. I'm guessing it's leaving LAN in your case, and the destination host isn't replying for one of the usual reasons (host firewall, wrong gateway or other host network config issue, etc.).

              1 Reply Last reply Reply Quote 0
              • M
                maverick_slo last edited by

                Hmmm ok…
                Firewall has any any allow all on both sides.
                Wrong gateway, what u mean by that?
                Tunnel is up so it should be working, at least same config confirmed does work between 2 2.6 machines...

                1 Reply Last reply Reply Quote 0
                • C
                  cmb last edited by

                  The tunnel is clearly working, that's why I'm pointing to the destination host as the likely cause of the problem. Its default gateway pointing to something wrong, or a firewall on that host, etc.

                  1 Reply Last reply Reply Quote 0
                  • M
                    maverick_slo last edited by

                    I`ve rebuild pfsense to 2.3 on both sides and now it works.

                    But new problem is here.
                    When IPsec up I can`t go to webinterface after I clicked refresh on ipsec status page once or twice.

                    I always get:
                    504 Gateway Time-out
                    nginx

                    If I:
                    restart webconfigurator from ssh shell no go.
                    Restart PHP-FPM then I can connect to web gui again.

                    1 Reply Last reply Reply Quote 0
                    • P
                      phil.davis last edited by

                      There is an underlying issue with the low-level command that gets the IPsec status. It sometimes hangs and thus the web-interface waits "forever" for the output to come and eventually nginx web server times out.
                      https://redmine.pfsense.org/issues/5520

                      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                      1 Reply Last reply Reply Quote 0
                      • M
                        maverick_slo last edited by

                        Thanks just seen it.
                        I use ikev2 and same thing happens.
                        I saw that on strongswan this is marked as resolved?

                        1 Reply Last reply Reply Quote 0
                        • M
                          maverick_slo last edited by

                          I`m really sorry to nag, but there is something wrong with ipsec.
                          I came home, disabled ipsec, re-enabled it and again tunnel is up but no traffic.

                          I really dont get it any more… It was working and I didnt change ANY setting at all. Disabled and reconnected and no more joy.

                          1 Reply Last reply Reply Quote 0
                          • M
                            maverick_slo last edited by

                            OK more details:

                            It only works when IKE is set to V1 and mode to aggressive.

                            So:
                            IKEv1 + aggressive (MUTUAL PSK) = OK
                            IKEv1 + aggressive (MUTUAL RSA) = OK

                            IKEv1 + main = NOT WORKING (both RSA and PSK)

                            IKEv2 = not working

                            Setup between 2.3 and 2.2.6

                            1 Reply Last reply Reply Quote 0
                            • C
                              cmb last edited by

                              @maverick_slo:

                              IKEv1 + main = NOT WORKING (both RSA and PSK)

                              IKEv2 = not working

                              Setup between 2.3 and 2.2.6

                              That's not true in general. We've been running production VPNs matching the described circumstance for months with no issues.

                              What specifically do you have configured that doesn't work?

                              1 Reply Last reply Reply Quote 0
                              • M
                                maverick_slo last edited by

                                Huh really simple.
                                Ipsec between 2 locations only one left and right local subnet.
                                When in aggressive mode everything works, traffic flows…
                                As soon as I change both to main or ikev2 and restart tunnel shows as online but no traffic coming trough. So I can rule out firewall rules and host config regarding gateways etc...
                                I really don't know what I'm doibg wrong here or maybe there's an issue between 2.2.6 and 2.3.
                                Again SAME config between two 2.2.6 pfsenses works like a charm...

                                1 Reply Last reply Reply Quote 0
                                • C
                                  cmb last edited by

                                  what identifiers are you using on the P1?

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    maverick_slo last edited by

                                    My IP address.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      maverick_slo last edited by

                                      Hi cmb!

                                      I managed to config IKEv2 between 2.2.6 and 2.3.

                                      There are some gui issues I think on ipsec config page, see here: https://forum.pfsense.org/index.php?topic=105776.0

                                      I did config manually via .conf files and it works like a charm now.
                                      Also upgrade from 2.2.6 to 2.3 correctly retains configs and it works. Problem was on new 2.3 install and new ipsec tunnel config creation.

                                      BR,
                                      Greg

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post