Re: [pfSense Support] interesting traffic is not encapsulated

Tue, 22 Sep 2009 10:07:29 -0700 

Scott Ullrich wrote:

On Tue, Sep 22, 2009 at 12:46 PM, Evgeny Yurchenko <[email protected]> wrote:

Then sorry Scott, I do not understand your statement: "Traffic on the
firewall itself prefers the system routing table.  Clients behind the
firewall will prefer the IPSEC tunnel."
In my case traffic initiated on the firewall itself goes over the tunnel,
client behind firewall goes over normal routing table/nat while it must go
over the tunnel. And I've almost broken my head trying to understand why.


Sorry, I meant when you are pinging from the firewall itself.

Double check your subnet information.  This should work and I know
folks running IPSEC on PPPoE hosts.  If you continue to have problems
we need more information such as the IPSEC SPD/SAD entries.

Scott


  

I know it must work but I've spent many hours already trying to figure 
out why it does not... -(

Currently I have:
# setkey -PD
10.29.1.0/24[any] 10.29.1.19[any] any
       in none
       spid=55 seq=3 pid=30386
       refcnt=1
10.29.11.0/24[any] 10.29.1.0/24[any] any
       in ipsec
       esp/tunnel/y.y.y.155-x.x.x.106/unique#16426
       spid=58 seq=2 pid=30386
       refcnt=1
10.29.1.19[any] 10.29.1.0/24[any] any
       out none
       spid=56 seq=1 pid=30386
       refcnt=1
10.29.1.0/24[any] 10.29.11.0/24[any] any
       out ipsec
       esp/tunnel/x.x.x.106-y.y.y.155/unique#16425
       spid=57 seq=0 pid=30386
       refcnt=1
# setkey -D
x.x.x.106 y.y.y.155
       esp mode=any spi=122888134(0x07531fc6) reqid=16425(0x00004029)
       E: 3des-cbc  a8c0fd24 d6d2ae24 8f59f03d d97e3483 e6e36bd6 54ed54d0
       A: hmac-sha1  3c8a1c12 452eb445 56a0e7b0 4212e329 caae4b23
       seq=0x00000000 replay=4 flags=0x00000000 state=mature
       created: Sep 22 20:50:24 2009   current: Sep 22 21:04:34 2009
       diff: 850(s)    hard: 3600(s)   soft: 2880(s)
       last:                           hard: 0(s)      soft: 0(s)
       current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
       allocated: 0    hard: 0 soft: 0
       sadb_seq=2 pid=30402 refcnt=1
y.y.y.155 x.x.x.106
       esp mode=tunnel spi=179125587(0x0aad3d53) reqid=16426(0x0000402a)
       E: 3des-cbc  4958801c 50167ed7 7dd51564 914c1669 520c9fbe 9275234e
       A: hmac-sha1  aca2d1d8 5ffffa6b fcce17a6 3f25d3c8 7d36179c
       seq=0x00000000 replay=4 flags=0x00000000 state=mature
       created: Sep 22 20:50:24 2009   current: Sep 22 21:04:34 2009
       diff: 850(s)    hard: 3600(s)   soft: 2880(s)
       last:                           hard: 0(s)      soft: 0(s)
       current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
       allocated: 0    hard: 0 soft: 0
       sadb_seq=0 pid=30402 refcnt=1
#


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Commercial support available - https://portal.pfsense.org























					Reply via email to