Netgate m1n1wall

Author Topic: Routing over site-to-site IPsec tunnels is broken since early December  (Read 2113 times)

0 Members and 1 Guest are viewing this topic.

Offline borsoock

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Routing over site-to-site IPsec tunnels is broken in snapshots since over a month! It was OK until early November builds (I've got Nov 9 build running OK) but doesn't work in more recent builds. Tunnel is established, you can ping remote end directly from router but no traffic from subnet behind tunnel is actually routed. Please fix it guys!
« Last Edit: January 01, 2013, 11:44:26 am by borsoock »

Offline anthonysomerset

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #1 on: January 01, 2013, 11:32:22 pm »
are you sure its not a config issue i was using a mid december snapshot until this morning (updated) and its been working fine throughout

i have an IPsec tunnel setup and its routing fine between the endpoints perfectly, i can reach the remote lan from local and reach the local lan from remote

probably a good idea to describe your config

Offline cybercare

  • Jr. Member
  • **
  • Posts: 93
  • Karma: +0/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #2 on: January 02, 2013, 09:28:51 am »
It works fine for me and I just setup a new box and new install to our datacenter running 12-28 snapshot last week and upgraded our office from 2.0.2 to latest snap also.

Must be a config issue.

My only issues with 2.1.x is that ipsec mobile clients cant use a different WAN connection over the tunnel but I have another thread for that.

Tunnel traffic itself works perfectly fine as far as I can tell for site-to-site and mobile clients.

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3364
  • Karma: +2/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #3 on: January 03, 2013, 05:20:33 am »
Can you please try with tomorrow snapshots and see if the functionality has been restored?

Offline borsoock

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #4 on: January 03, 2013, 09:47:47 am »
Hi
I test 2.1 since August. I do upgrades to newer snapshots every ~2 weeks and everything was absolutely fine until December. After upgrade from November 9 version to December ones IPsec tunnels stopped working properly, so this is not configuration issue. Maybe something has change with automatic upgrade procedure than? I'll try to install newest snapshot, delete and re-define all tunnels.
« Last Edit: January 03, 2013, 10:03:32 am by borsoock »

Offline borsoock

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #5 on: January 04, 2013, 01:22:45 pm »
Can you please try with tomorrow snapshots and see if the functionality has been restored?

I did instal today's snapshot and make some tests. I even deleted all tunnels and re-created it. No change - tunnels are up but no routes to remote subnets are inserted, traffic is send to default gateway not through tunnels. Obviously I can add additional routes manually but this is not the way it should be. Any ideas?

Best Regards

Marcin

Offline ermal

  • Administrator
  • Hero Member
  • *****
  • Posts: 3364
  • Karma: +2/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #6 on: January 04, 2013, 04:13:09 pm »
You are talking about policy routing traffic or static routed traffic?

Adding routes and policy routing are 2 different thigns.

Offline borsoock

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #7 on: January 15, 2013, 03:27:47 pm »
Problem found! And this is a bug for sure!

I have dual WAN configuration. If there are any additional firewall rules defined for LAN side  (in my case two rules that send traffic from selected IP through WAN1 or WAN2) all IPsec routes are ignored and no traffic is send to IPsec tunnel anymore! If this LAN rules are disabled and only default 'pass all through default gateway' is active, IPsec tunnel routing is back to normal. Seems that 2.0.2 suffer from exactly the same bug : http://forum.pfsense.org/index.php/topic,57237.0.html
« Last Edit: January 15, 2013, 03:37:57 pm by borsoock »

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #8 on: January 15, 2013, 06:57:19 pm »
That's how things are supposed to work without the negation work around we put in place to prevent you from foot shooting. The other linked thread is after upgrade to 2.1, not 2.0.2. 2.1 has changed some in this regard and that needs to be re-evaluated.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #9 on: January 16, 2013, 11:09:58 am »
It's sort of a catch 22, none of the options are all that great.

If you put the negate rules above user rules with quick on, then all internal hosts can reach all hosts on the VPN - many people don't want this.
If you put the negate rules above user rules with quick off, a block rule or other rule that matches can make them be skipped entirely.
If you put the negate rules below the user rules with quick on then user rules with a gateway set wouldn't be bypassed.

Best way is always to use your own negate rules.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Online stephenw10

  • Hero Member
  • *****
  • Posts: 8176
  • Karma: +10/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #10 on: January 16, 2013, 11:30:34 am »
Best way is always to use your own negate rules.

+1 on that.
I was in fact relying on my own negate rules (or lack thereof) to isolate my wifi. Suddenly I found my wifi clients could access other subnets. If negate rules are to be added automatically they must show some warning IMHO.

Steve

Apologies for this thread hi-jack.  ;)

Offline heper

  • Hero Member
  • *****
  • Posts: 676
  • Karma: +0/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #11 on: January 17, 2013, 03:24:21 am »
Best way is always to use your own negate rules.

+1 on that.
I was in fact relying on my own negate rules (or lack thereof) to isolate my wifi. Suddenly I found my wifi clients could access other subnets. If negate rules are to be added automatically they must show some warning IMHO.

Steve

Apologies for this thread hi-jack.  ;)

+1 on huge warning labels for all pfsense releases ... i've seen numerous posts on this forum somewhat related to this.
It confuses most users why traffic passes when they haven't made a rule to let it pass, or made an effort with policy routing to prevent it from passing.

Would it be hard to backport the 'disable negate rules' checkbox to 2.0.3 ?
it would safe me lots of time ... now i have to isolate every vlan/vpn manually and spend lots of time whenever i add another one.

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #12 on: January 17, 2013, 06:43:36 am »
The checkbox is already there on 2.0.2/2.0.3 to disable negate rules.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Online stephenw10

  • Hero Member
  • *****
  • Posts: 8176
  • Karma: +10/-0
    • View Profile
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #13 on: January 17, 2013, 07:40:42 am »
So it is!
I had been following that addition but thought it was 2.1 only. Thanks.
Still it seems a significant change. When were the negate rules introduced? How did I miss that?  ::)

Steve

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Routing over site-to-site IPsec tunnels is broken since early December
« Reply #14 on: January 18, 2013, 02:06:08 am »
When were the negate rules introduced? How did I miss that?  ::)

6-7 years ago IIRC. Long ways back, I believe the original 1.2 release was the first stable release that had them, which was almost 5 years ago.