Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.2.6 - Lost LAN conection when IPSEC tunnel is conected only first time booting

    Scheduled Pinned Locked Moved IPsec
    7 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cabenico
      last edited by

      Good morning everyone.

      I have an strange issue.

      Details:
      LAN IP pfSense: 10.133.30.1

      TUNNEL IPSEC: Phase 2
      Local Network LAN Subnet
      Remote Network 10.0.0.0/8

      Advanced setting Enable bypasslan for LAN…..... checked.

      When IPSEC tunnel is on, I lost ping from LAN to LAN IP (10.133.30.1), something like traffic going to 10.x.x.x. is tryning to go by IPSEC TUNNEL I think............, and not working OK the bypass for LAN option.
      If I restart ipsec services, have no more problems, but have to do this manually every time after reboot.

      Any idea ?

      Thanks in advance!!!!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        What does the output of 'ipsec statusall' show when it's working vs. when it's not?

        1 Reply Last reply Reply Quote 0
        • C
          cabenico
          last edited by

          @cmb:

          What does the output of 'ipsec statusall' show when it's working vs. when it's not?

          @cmb thks for your reply!!!

          1-
          After reboot, IPSEC conected, ping from LAN SUBNET to LAN PF IP NO REPLY

          [root@vpn-sanmartin ~]# ipsecstats
          ah packets with hmac-md5: 2522
          esp input packets processed: 1149
          esp output packets processed: 1373
          esp packets with rijndael-cbc: 2522
          esp bytes received: 328016
          esp bytes transmitted: 333190

          no SA found 14 (output)
          m_clone processing: 0 mbufs + 0 clusters coalesced
          m_makespace: 1371 mbufs inserted

          header position [front/middle/end]: 0/1149/0
          [root@vpn-sanmartin ~]# ipsec status all
          Security Associations (1 up, 0 connecting):
            no match
          [root@vpn-sanmartin ~]#

          2-
          After "ipsec restart", IPSEC conected, ping from LAN SUBNET to LAN PF IP REPLY OK

          [root@vpn-sanmartin ~]# ipsecstats
          ah packets with hmac-md5: 6604
          esp input packets processed: 3145
          esp output packets processed: 3459
          esp packets with rijndael-cbc: 6604
          esp bytes received: 1580864
          esp bytes transmitted: 648373

          policy violations: input 38 output 0
          no SA found 16 (output)
          m_clone processing: 0 mbufs + 0 clusters coalesced
          m_makespace: 3451 mbufs inserted

          header position [front/middle/end]: 0/3145/0
          [root@vpn-sanmartin ~]# ipsec status all
          Security Associations (1 up, 0 connecting):
            no match
          [root@vpn-sanmartin ~]#

          I think the problem is remote NET in IPSEC phase 2 –> 10.0.0.0/8 , and LAN SUBNET is 10.133.0.0/16
          Traffic is to 10.133.0.0/16 is trying to go via IPSEC tunnel, and no recognized like LAN SUBNET.

          But most strange is this only happen after reboot, first time. Restarting IPSEC all goes ok again.

          Very strange issue.............

          1 Reply Last reply Reply Quote 0
          • C
            cabenico
            last edited by

            at the moment, to resolve this…........... no very nice, but confirm what I said....

            made a shell script xxx.sh, in /usr/local/etc/rc.d/

            "
            sleep 40
            ipsec stop
            sleep 5
            ipsec start
            "

            1 Reply Last reply Reply Quote 0
            • C
              cabenico
              last edited by

              Not really sure, but other thing to try…....

              CLIENTE IPSEC
              Phase 2 proposal (SA/Key Exchange) ONLY CHECK
              Encryption algorithms
              AES / Blowfish / 3DES / CAST128 / DES

              Hash algorithms ONLYE CHECK
              MD5 and SHA1

              have to try it some more days...........

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                That's 'ipsec statusall', no space in between, but that likely isn't going to be telling in this case. What does the output of "setkey -DP" show when it's not working and when it is? I'm thinking there's an ordering issue of some sort there.

                1 Reply Last reply Reply Quote 0
                • C
                  cabenico
                  last edited by

                  @cmb:

                  That's 'ipsec statusall', no space in between, but that likely isn't going to be telling in this case. What does the output of "setkey -DP" show when it's not working and when it is? I'm thinking there's an ordering issue of some sort there.

                  **
                  ipsec statusall (ipsec conected after reboot, no LAN ping from LAN subnet)

                  [root@vpn-gualeguaychu ~]# ipsec statusall
                  Status of IKE charon daemon (weakSwan 5.3.3, FreeBSD 10.1-RELEASE-p24, i386):
                    uptime: 3 minutes, since Mar 17 14:45:02 2016
                    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
                    loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
                  Listening IP addresses:
                    181.xxx.xxx.xxx
                    10.85.30.1
                  Connections:
                    bypasslan:  %any…%any  IKEv1/2
                    bypasslan:  local:  uses public key authentication
                    bypasslan:  remote: uses public key authentication
                    bypasslan:  child:  10.85.0.0/16|/0 === 10.85.0.0/16|/0 PASS
                      con1000:  181.xxx.xxx.xxx...201.xxx.xxx.xxx  IKEv1 Aggressive, dpddelay=10s
                      con1000:  local:  [gualeguaychu@osprera.org.ar] uses pre-shared key authentication
                      con1000:  remote: [201.xxx.xxx.xxx] uses pre-shared key authentication
                      con1000:  child:  10.85.0.0/16|/0 === 10.0.0.0/8|/0 TUNNEL, dpdaction=restart
                  Shunted Connections:
                    bypasslan:  10.85.0.0/16|/0 === 10.85.0.0/16|/0 PASS
                  Routed Connections:
                      con1000{4}:  ROUTED, TUNNEL, reqid 1
                      con1000{4}:  10.85.0.0/16|/0 === 10.0.0.0/8|/0
                  Security Associations (1 up, 0 connecting):
                      con1000[1]: ESTABLISHED 3 minutes ago, 181.xxx.xxx.xxx[gualeguaychu@osprera.org.ar]…201.xxx.xxx.xxx[201.216.208.113]
                      con1000[1]: IKEv1 SPIs: 51f33f634aae57e2_i* 6761851f86de30b5_r, pre-shared key reauthentication in 7 hours
                      con1000[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                      con1000{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cbfd4079_i 046b1ec2_o
                      con1000{2}:  AES_CBC_256/HMAC_MD5_96, 273639 bytes_i (1235 pkts, 0s ago), 316104 bytes_o (1283 pkts, 0s ago), rekeying in 19 minutes
                      con1000{2}:  10.85.0.0/16|/0 === 10.0.0.0/8|/0
                  [root@vpn-gualeguaychu ~]#

                  **
                  setkey -DP (ipsec conected after reboot, no LAN ping from LAN subnet)

                  [root@vpn-gualeguaychu ~]# setkey -DP
                  10.0.0.0/8[any] 10.85.0.0/16[any] any
                          in ipsec
                          esp/tunnel/201.xxx.xxx.xxx-181.xxx.xxx.xxx/unique:1
                          created: Mar 17 14:45:29 2016  lastused: Mar 17 14:52:15 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=6 seq=3 pid=91411
                          refcnt=1
                  10.85.0.0/16[any] 10.85.0.0/16[any] any
                          in none
                          created: Mar 17 14:45:52 2016  lastused: Mar 17 14:45:52 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=10 seq=2 pid=91411
                          refcnt=1
                  10.85.0.0/16[any] 10.0.0.0/8[any] any
                          out ipsec
                          esp/tunnel/181.xxx.xxx.xxx-201.xxx.xxx.xxx/unique:1
                          created: Mar 17 14:45:29 2016  lastused: Mar 17 14:52:16 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=5 seq=1 pid=91411
                          refcnt=1
                  10.85.0.0/16[any] 10.85.0.0/16[any] any
                          out none
                          created: Mar 17 14:45:52 2016  lastused: Mar 17 14:45:52 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=9 seq=0 pid=91411
                          refcnt=1
                  [root@vpn-gualeguaychu ~]#


                  then, ipsec stop, ipsec start: (ipsec conected, PING ok to LAN from LAN subnet)


                  ipsec statusall

                  [root@vpn-gualeguaychu ~]# ipsec statusall
                  Status of IKE charon daemon (weakSwan 5.3.3, FreeBSD 10.1-RELEASE-p24, i386):
                    uptime: 12 seconds, since Mar 17 14:54:26 2016
                    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
                    loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
                  Listening IP addresses:
                    181.xxx.xxx.xxx
                    10.85.30.1
                  Connections:
                    bypasslan:  %any…%any  IKEv1/2
                    bypasslan:  local:  uses public key authentication
                    bypasslan:  remote: uses public key authentication
                    bypasslan:  child:  10.85.0.0/16|/0 === 10.85.0.0/16|/0 PASS
                      con1000:  181.xxx.xxx.xxx...201.xxx.xxx.xxx  IKEv1 Aggressive, dpddelay=10s
                      con1000:  local:  [gualeguaychu@osprera.org.ar] uses pre-shared key authentication
                      con1000:  remote: [201.xxx.xxx.xxx] uses pre-shared key authentication
                      con1000:  child:  10.85.0.0/16|/0 === 10.0.0.0/8|/0 TUNNEL, dpdaction=restart
                  Shunted Connections:
                    bypasslan:  10.85.0.0/16|/0 === 10.85.0.0/16|/0 PASS
                  Routed Connections:
                      con1000{1}:  ROUTED, TUNNEL, reqid 1
                      con1000{1}:  10.85.0.0/16|/0 === 10.0.0.0/8|/0
                  Security Associations (1 up, 0 connecting):
                      con1000[1]: ESTABLISHED 12 seconds ago, 181.xxx.xxx.xxx[gualeguaychu@osprera.org.ar]…201.xxx.xxx.xxx[201.216.208.113]
                      con1000[1]: IKEv1 SPIs: 1d1e895fe7c58369_i* 0134c120391e748b_r, pre-shared key reauthentication in 7 hours
                      con1000[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
                      con1000{2}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c8dbde05_i 04d2c445_o
                      con1000{2}:  AES_CBC_256/HMAC_MD5_96, 17097 bytes_i (124 pkts, 0s ago), 30560 bytes_o (122 pkts, 0s ago), rekeying in 22 minutes
                      con1000{2}:  10.85.0.0/16|/0 === 10.0.0.0/8|/0
                  [root@vpn-gualeguaychu ~]#

                  **
                  setkey -DP

                  [root@vpn-gualeguaychu ~]# setkey -DP
                  10.85.0.0/16[any] 10.85.0.0/16[any] any
                          in none
                          created: Mar 17 14:54:27 2016  lastused: Mar 17 14:56:20 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=14 seq=3 pid=44444
                          refcnt=1
                  10.0.0.0/8[any] 10.85.0.0/16[any] any
                          in ipsec
                          esp/tunnel/201.xxx.xxx.xxx-181.xxx.xxx.xxx/unique:1
                          created: Mar 17 14:54:27 2016  lastused: Mar 17 14:56:19 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=18 seq=2 pid=44444
                          refcnt=1
                  10.85.0.0/16[any] 10.85.0.0/16[any] any
                          out none
                          created: Mar 17 14:54:27 2016  lastused: Mar 17 14:56:20 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=13 seq=1 pid=44444
                          refcnt=1
                  10.85.0.0/16[any] 10.0.0.0/8[any] any
                          out ipsec
                          esp/tunnel/181.xxx.xxx.xxx-201.xxx.xxx.xxx/unique:1
                          created: Mar 17 14:54:27 2016  lastused: Mar 17 14:56:20 2016
                          lifetime: 2147483647(s) validtime: 0(s)
                          spid=17 seq=0 pid=44444
                          refcnt=1
                  [root@vpn-gualeguaychu ~]#

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.