Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Untangler
    Join Date
    Nov 2010
    Posts
    85

    Default IPSec pfSense - One Way Traffic

    I have already spoken to Untangle support at length. I have reloaded my entire server, and sitting at the base install in trial mode before moving over subscription and everything the IPsec module will connect to pfSense and ping both ways. Once I import my backup configuration file the server is unable to ping and get out from Untangle to pfSense. PfSense to Untangle works fine, but does not work going the other way. I have checked Packet Filter to see if anything might block the connection.

    At this stage support has advised me to attempt to manually reload each setting by scratch, and test the connection along the way with the theory that the backup file might be corrupt going from version to version over the years.

    As this is our main company firewall, and I have users on the system all the time, I am unable to do this during normal operational hours. My plan is to try this approach when time permits. However, it would be helpful if someone in the forums can provide any suggestions on a Untangle Configuration setting that might be causing the Untangle system not to be able to communicate to a PfSense box, but let's a pfSense box communicate to an Untangle Server.

    I am running Premium Package on 9.2.1. Thank You.

  2. #2
    Untangler
    Join Date
    Nov 2010
    Posts
    85

    Default Logs so far

    I am getting these messages....

    ignoring Vendor ID payload [FRAGMENTATION 80000000]
    received Vendor ID payload [Dead Peer Detection]
    initial Main Mode message received on ExternalIPaddress:500 but no connection has been authorized with policy=PSK

    I have tried dropping the MTU setting to fix the Fragmentation issue. Is there anything that anyone can suggest?

  3. #3
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,040

    Default

    If full communication is working from one side but not from the other, then the tunnel is up but you most likely have a firewall issue on the side that communication is working from.

    If you can make connections from one location to the other, then clearly packets are being correctly forwarded through the tunnel *and returned* in the tunnel.

    It sounds like the pfSense box is denying packets coming in over the IPsec tunnel that didn't originate with it. I'd check your firewall settings on the pfSense.
    m.


    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.

    It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangler
    Join Date
    Nov 2010
    Posts
    85

    Default pfsense firewall

    What is interesting is doing a clean 9.2.1 install the communication worked for a brief time. When I loaded in my backup configuration settings for Untangle Server, the tunnel stopped being able to ping from my side to pfSense box.So if the communication works after a clean default installation of Untangle, wouldn't that mean that the pfSense box is configured correctly?

  5. #5
    Untangle Ninja mrunkel's Avatar
    Join Date
    Jul 2008
    Posts
    3,040

    Default

    Quote Originally Posted by techuser View Post
    What is interesting is doing a clean 9.2.1 install the communication worked for a brief time. When I loaded in my backup configuration settings for Untangle Server, the tunnel stopped being able to ping from my side to pfSense box.So if the communication works after a clean default installation of Untangle, wouldn't that mean that the pfSense box is configured correctly?
    That does. So now you need to figure out what you changed in your settings to make it stop working.
    m.


    Big Frickin Disclaimer:
    While I'm pretty sure, I can't guarantee that I know what I'm doing. There might be a better way to do this, and this way might actually suck. Make sure you understand the implications of what you're doing before trying to follow these directions.

    It often helps troubleshooting if you have a good network map. Look here if you want my advice on how to draw one.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Or just start with a clean install, since there is no way to reset the network settings to default and the issue is almost certainly in there (likely packet filter but could be anything).
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  7. #7
    Untangler
    Join Date
    Nov 2010
    Posts
    85

    Default Settings

    Which is basically what I was trying to get assistance on...as it stands right now...I'm looking at manually reloading the box and inputting every setting pretty much one by one while doing a continuous ping. I can try to use the Import function, but I've been advised by support that they suspect there is something corrupted in the configuration backup files that get saved out from version to version. So if I really want to find the culprit, it sounds like I will have to manually re-create each setting while performing a continuous ping on the server. I was hoping that someone on the forum might say...check these settings which can stop IPsec from working. As I understand it, IPsec bypasses everything, and there are no settings that should be stopping it from working.

  8. #8
    Untangler
    Join Date
    Nov 2010
    Posts
    85

    Default disabled packet filters

    I have tried disabling all of the packet filters, and no dice. Also Support said that IPsec module completely bypasses the packet filters.

  9. #9
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,385

  10. #10
    Untangler
    Join Date
    Nov 2010
    Posts
    85

    Default

    okay, so if it bypasses the rack, then only other thing could be packet filter?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2