Project

General

Profile

Actions

Bug #3016

closed

IPsec client (or branch office) can't access to Internet over VPN gateway

Added by Serguei Leontiev over 8 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
06/01/2013
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:

Description

Branch office tunnel:
Mode: tunnel
Local Subnet: LAN
Remote Subnet: 0.0.0.0/0
root(1): cat /var/etc/ipsec/spd.conf
spdadd -4 192.168.71.83/32 192.168.68.0/22 any -P out none;
spdadd -4 192.168.68.0/22 192.168.71.83/32 any -P in none;
spdadd -4 192.168.68.0/22 192.168.71.144/28 any -P out ipsec esp/tunnel/154.137.18.1-154.137.18.2/unique;
spdadd -4 192.168.71.144/28 192.168.68.0/22 any -P in ipsec esp/tunnel/154.137.18.2-154.137.18.1/unique;
spdadd -4 0.0.0.0/0 192.168.71.144/28 any -P out ipsec esp/tunnel/154.137.18.1-154.137.18.2/unique;
spdadd -4 192.168.71.144/28 0.0.0.0/0 any -P in ipsec esp/tunnel/154.137.18.2-154.137.18.1/unique;

Main office
Mode: tunnel
Local Subnet: LAN
Remote Subnet: 0.0.0.0/0
: cat /var/etc/ipsec/spd.conf
spdadd -4 192.168.71.83/32 192.168.68.0/22 any -P out none;
spdadd -4 192.168.68.0/22 192.168.71.83/32 any -P in none;
spdadd -4 192.168.68.0/22 192.168.71.144/28 any -P out ipsec esp/tunnel/154.137.18.1-154.137.18.2/unique;
spdadd -4 192.168.71.144/28 192.168.68.0/22 any -P in ipsec esp/tunnel/154.137.18.2-154.137.18.1/unique;

Tunnel to access the Internet at the main office disappears without any messages in the /var/log/system.log

Probably the problem was introduced in the correction of the issue #2201 <http://redmine.pfsense.org/issues/2201>

Or incomplete commit <https://github.com/pfsense/pfsense/commit/2c6de2ea27e40dece742079389615211c66075ed>

Workaround:
Instead one tunnel 0.0.0.0/0 use two tunnels 0.0.0.0/1 and 128.0.0.0/1


Files

branch-inet.diff (456 Bytes) branch-inet.diff Serguei Leontiev, 06/01/2013 07:26 AM
Actions #1

Updated by Serguei Leontiev over 8 years ago

Don't delete tunnel for main office

Actions #2

Updated by Serguei Leontiev over 8 years ago

Sorry:

Main office
Mode: tunnel
Local Subnet: 0.0.0.0/0
Remote Subnet: BRANCH-LAN
: cat /var/etc/ipsec/spd.conf
spdadd -4 192.168.71.83/32 192.168.68.0/22 any -P out none;
spdadd -4 192.168.68.0/22 192.168.71.83/32 any -P in none;
spdadd -4 192.168.68.0/22 192.168.71.144/28 any -P out ipsec esp/tunnel/154.137.18.1-154.137.18.2/unique;
spdadd -4 192.168.71.144/28 192.168.68.0/22 any -P in ipsec esp/tunnel/154.137.18.2-154.137.18.1/unique;

Actions #3

Updated by Renato Botelho over 8 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #5

Updated by Serguei Leontiev over 8 years ago

Fix looks and works correctly

2.1-RC0 (amd64)
built on Tue Jun 4 20:54:59 EDT 2013

FreeBSD 8.3-RELEASE-p8

Actions #6

Updated by Chris Buechler over 8 years ago

  • Category set to IPsec
  • Status changed from Feedback to Resolved
  • Affected Version set to 2.1
Actions

Also available in: Atom PDF