Evgeny Yurchenko wrote:
Chris Buechler wrote:
On Tue, Sep 22, 2009 at 11:10 PM, Evgeny Yurchenko
<evg.yu...@rogers.com> wrote:
I can not ping 10.29.11.1 or 10.29.11.2 from any host connected to LAN
pfSense1. Traffic does not go over IPSec but instead natted and goes to
Internet.
On WAN (ng0):
20:29:13.951253 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id
1781, seq
6706, length 40
20:29:19.451065 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id
1781, seq
6962, length 40
20:29:24.950912 IP x.x.x.106 > 10.29.11.1: ICMP echo request, id
1781, seq
7218, length 40
Can anybody explain this?
If it's initiated from the firewall, and initiated from a source IP
that's part of the IPsec connection, it will traverse the IPsec. If
you don't tell it where to initiate, and you don't have the static
route described in the aforementioned FAQ, it will follow the system
routing table which generally means it won't go over IPsec.
I totally understand it and agree, but my purpose is to allow hosts
from one subnet reach another (remote) subnet and this does not work.
This trace is for the case when traffic initiated by PC 10.29.1.34
(connected to LAN pfSense1).
I mentioned "traffic initiated from the firewall" only to demonstrate
that IPSec tunnel is up and running.
Eugene
Interesting update. Host connected to LAN pfSense1 continuously pings
LAN interface of pfSense2. Traffic is supposed to go over IPSec-tunnel
LAN pfSense1:# tcpdump -ni fxp0 -n net 10.29.11.0/24
17:10:07.604717 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 8276, length 40
17:10:09.104694 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 8532, length 40
17:10:10.604652 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 8788, length 40
17:10:12.104580 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 9044, length 40
17:10:13.604540 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 9300, length 40
17:10:15.104483 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 9556, length 40
17:10:16.604445 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 9812, length 40
17:10:18.104359 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 10068, length 40
17:10:19.604352 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 10324, length 40
17:10:21.104285 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 10580, length 40
17:10:22.604232 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 10836, length 40
17:10:24.104175 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 11092, length 40
17:10:25.604131 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 11348, length 40
17:10:27.104047 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 11604, length 40
17:10:28.603996 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 11860, length 40
17:10:30.103990 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 12116, length 40
17:10:31.603892 IP 10.29.1.34 > 10.29.11.1: ICMP echo request, id 1024,
seq 12372, length 40
^C
20 packets captured
2001 packets received by filter
0 packets dropped by kernel
********IPSec is totally disabled on pfSense1**********
WAN pfSense1: # tcpdump -ni ng0 host y.y.y.155 or net 10.29.11.0/24
17:10:07.604813 IP x.x.x.206.106 > 10.29.11.1: ICMP echo request, id
54116, seq 8276, length 40
17:10:09.104899 IP x.x.x.206.106 > 10.29.11.1: ICMP echo request, id
54116, seq 8532, length 40
17:10:10.604888 IP x.x.x.206.106 > 10.29.11.1: ICMP echo request, id
54116, seq 8788, length 40
******** Enable IPSec on pfSense1 *********
17:10:12.363997 IP x.x.x.206.106.500 > 38.104.156.155.500: isakmp: phase
1 I agg
17:10:12.689959 IP 38.104.156.155.500 > x.x.x.206.106.500: isakmp: phase
1 R agg
17:10:12.759339 IP x.x.x.206.106.500 > y.y.y.155.500: isakmp: phase 1 I agg
17:10:12.760546 IP x.x.x.206.106.500 > y.y.y.155.500: isakmp: phase
2/others I inf[E]
17:10:13.796275 IP x.x.x.206.106.500 > y.y.y.155.500: isakmp: phase
2/others I oakley-quick[E]
17:10:14.010480 IP y.y.y.155.500 > x.x.x.206.106.500: isakmp: phase
2/others R oakley-quick[E]
17:10:14.012456 IP x.x.x.206.106.500 > y.y.y.155.500: isakmp: phase
2/others I oakley-quick[E]
17:10:15.105113 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x1), length 92
17:10:16.604921 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x2), length 92
17:10:18.104787 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x3), length 92
17:10:19.604818 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x4), length 92
17:10:21.104759 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x5), length 92
17:10:22.604735 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x6), length 92
17:10:24.104578 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x7), length 92
17:10:25.604655 IP x.x.x.206.106 > y.y.y.155:
ESP(spi=0x0d9554c6,seq=0x8), length 92
17:10:27.104167 IP x.x.x.206.106 > 10.29.11.1: ICMP echo request, id
54116, seq 11604, length 40
17:10:28.604095 IP x.x.x.206.106 > 10.29.11.1: ICMP echo request, id
54116, seq 11860, length 40
17:10:30.104132 IP x.x.x.206.106 > 10.29.11.1: ICMP echo request, id
54116, seq 12116, length 40
17:10:31.603986 IP x.x.x.206.106 > 10.29.11.1: ICMP echo request, id
54116, seq 12372, length 40
You see? After I enable IPSec and tunnel goes up 8 icmp packets go over
this tunnel and then again switch to normal routing.
????
Thanks!
Eugene
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
