LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-31-2014, 11:16 AM   #1
Paladax
LQ Newbie
 
Registered: Apr 2012
Posts: 4

Rep: Reputation: Disabled
Pfsense Fibre Ipsec tunnel issue


Hi there,

We have recently started converting some of our sites onto fibre connection as it becomes available in our area's. So far we have done 2 seperate sites and on both sites I am experiencing the same issue.

On our normal setups our Pfsense boxes are connected to a router that connects out. The router taking 1 of our public IP addresses and one ethernet card on the Pfsense box taking the 2nd (Red interface).
We then have 2 more ethernet cards on the pfsense (one for local lan, one for untrusted lan). Now on the Pfsense box we have set it to have a phase 1 Ipsec tunnel and then 3 phase 2 tunnels. Those 3 tunnels being the local lan, untrusted lan and then one to allow external contractors to remote into the untrusted lan.

Thats all been fine in the past, however, now when we are on Fibre that Red tunnel does not come online. The other 2 do fine, but just not that one for external support.

This is the same if I use a router or if I plug the pfsense box directly into the Modem and let the Pfsense make the PPPOE connection.

Any ideas why this might be?

There are no traffic shapers in play, nothing that I can see that would stop it. And if I plug it back into an ADSL connection it then works fine.

The tunnels are using

P2 Protocol P2 Transforms P2 Auth Methods
ESP AES (auto), 3DES SHA1


But I have tried them using AH for the P2 protocol as well, same result.


Also, We had another site go onto Fibre recently and when it went online all 3 of it's Ipsec tunnels were online and well.

I compared it side by side with another site that only had 2/3 tunnels up and as far as I could tell they were identical apart from the fact that one of it's redundant Ipsec tunnels (were used for failover in the past but are since redundant) that is disabled had SHA1 and MD5 as authentication methods as well as on the recieving end of the Ipsec the exchange was set to Automatic.
I tried replicating that since on the 2/3 firewall but still the same result.

Now, even stranger. After about a week or 2 of those 3 tunnels being up it has now only got 2/3 tunnels up itself!

Anybody got any suggestions on this strangeness?

Oh and I have tried this on 2.1-RELEASE (i386) as well as 2.0-BETA5 (i386
 
Old 02-03-2014, 08:03 AM   #2
pingwinowiewc
Member
 
Registered: Feb 2014
Location: Europe
Distribution: Debian, Mint, Arch (multiboot)
Posts: 90

Rep: Reputation: Disabled
Two cable-wired-tunnels will render errors whenever signal crosses in whatever direction.... this is due interoparational logic thats implemented into STP/DST hardware....
In your case, try to separate both tunnels by assigning differet IP+netmasks to each physical interface on your ST/DST hardware.

This should work abstroningly.....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to know if the traffic via IPSEC tunnel is encrypted and tunnel working Gil@LQ Linux - Security 3 09-06-2013 06:02 AM
Why does IPsec needs its own tunnel mode? Skaperen Linux - Networking 2 02-09-2013 09:16 PM
Strongswan - IPsec tunnel - can we have one way tunnel vishalwithme Linux - Networking 4 04-05-2012 01:07 AM
IPsec on pfSense not working, time out & "Unknown Gateway/Dynamic" pingu *BSD 0 01-25-2012 09:49 AM
IPSEC Tunnel behind NAT pssst_yeah_you Linux - Networking 0 06-23-2004 05:54 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration