Netgate SG-1000 microFirewall

Author Topic: PfSense not using IPSec site-to-site tunnel for routing  (Read 175 times)

0 Members and 1 Guest are viewing this topic.

Offline gregorij

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
PfSense not using IPSec site-to-site tunnel for routing
« on: January 19, 2018, 04:59:15 pm »
Hi, I am facing a strange issue and I am pretty desperate here. I had a well configurated and fully functional IPSec site-to-site tunnel between PfSense box and Zyxell USG 20 GW. Ive set it up two years ago and there wasnt any problem with it until now. Last night, Ive updated PfSense on version 2.4.2-RELEASE-p1 and it had to somehow broke down this IPSec tunnel. Both, PfSense and USG, show me, that the tunnel is up and running, I dont see anything strange in IPSec logs either on PfSense nor on the USG. On PfSense box only incoming traffic counters are increasing and the same happens with outgoing counters on USG. By Packet capture on PfSesne, I can see, that USG tries to ping PfSense box address but no traffic is flowing back. When Ive tried traceroute to PfSense box from a computer inside USGs LAN, it correctly tries to go through the tunnel, but if Ive tried the same from a computer inside PfSenses LAN, it tries to route through the internet and not through the tunnel. The same happens when Ive tried to traceroute USGs IP directly from PfSense.

Ive only done the upgrade of the PfSense box, and no other configuration changes anywhere. Please, could someone tell me how to fix this? Should I add some route to PfSesne route table? Or what can be the cause of this trouble? As I said, before the upgrade, this configuration was functional for over two years without any issue.

Thanks

George

Offline gregorij

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: PfSense not using IPSec site-to-site tunnel for routing
« Reply #1 on: January 28, 2018, 01:36:43 pm »
Hi, I am really disappointed, that there is no answer to my question. In the meantime, Ive tried to figure it out. Ive tried to rebuild the whole configuration, but no success, then Ive deployed a new installation of PfSense 2.4.2 on another machine and tried to set up IPSec tunnel there, but also no success. Finally, Ive backed up the configuration from the newly installed 2.4.2 box, reinstalled it to 2.4.1, restored the configuration (yes, the config.xml from the 2.4.2) and voila IPSec tunnel was successfully connected and properly used by PfSense. So Ive made the conclusion, that there must be something that changed by the new release and I am missing this change. Unfortunately, I havent found anything about that, so I am hoping that someone relevant will see this post and tell me what I am missing or if it is a bug, then this issue will be added to the bug list for the next release.

Regards
George

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9791
  • Karma: +1105/-311
    • View Profile
Re: PfSense not using IPSec site-to-site tunnel for routing
« Reply #2 on: January 28, 2018, 04:59:00 pm »
If you have the LAN interface disabled, UNCHECK VPN > IPsec, Advanced Settings, Auto-exclude LAN address

https://redmine.pfsense.org/issues/8239
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline gregorij

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: PfSense not using IPSec site-to-site tunnel for routing
« Reply #3 on: January 29, 2018, 08:15:10 am »
If you have the LAN interface disabled, UNCHECK VPN > IPsec, Advanced Settings, Auto-exclude LAN address

https://redmine.pfsense.org/issues/8239

Hi, thank you, that helps, but the symptoms are not my case. I have LAN enabled and a static IP is assigned to it on both installations. The production one has default LAN, two WAN, one OpenVPN, one IPSec and approx. 30 VLAN interfaces, the test one is probably more common, it has WAN, LAN, and IPSec. But both showed me the issue and both were repaired by your solution.

George

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9791
  • Karma: +1105/-311
    • View Profile
Re: PfSense not using IPSec site-to-site tunnel for routing
« Reply #4 on: January 29, 2018, 10:25:53 am »
In Status > Interfaces you will see the second interface. That is the internal interface (lan). It does not matter what the interface description is.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM