OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: trantorvega on November 06, 2017, 12:02:56 pm

Title: Traffic inexplicably not going through IPSEC despite matching SPs
Post by: trantorvega on November 06, 2017, 12:02:56 pm

Hello people.

Let me just say first that the problem I am having is with a recent version of pfSense, which of course is not the product discussed here. I have posted on that forum as well, but since I believe this to be an underlying issue I would like to understand whether it has been addressed by the OPNsense people instead. We are considering a migration, even though it's still only a thought at this point.
Feel free to pelter me with stones or to move the thread elsewhere should that be appropriate.  ;)

So, for the details:

I am running a pfSense 2.4.0 twin installation with CARP between the two appliances.
I have been able to successfully establish a transport mode IPSEC connection, using a CARP VIP, between the pfSense installation and an external Linux machine, both using strongSwan to handle the negotiation.
On top of the IPSEC connection I am running a GRE tunnel between the two endpoints.

One problem I've encountered is that I had to forcefully disable stateful inspection on the packets going through the gre0 interface, otherwise after a few tens of seconds packets started getting dropped by the default rules on pfSense, stalling and terminating connections.
That behaviour didn't arise if the GRE tunnel was established without an IPSEC layer underneath.
Something at least related to this issue here https://redmine.pfsense.org/issues/4479 (https://redmine.pfsense.org/issues/4479) I think.

Anyway that is not what's still bugging me.
Something else is quite strange.

Let's say that my CARP VIP, the pfSense endpoint of the transport mode IPSEC "tunnel", is 1.1.1.1, and the other endpoint is 2.2.2.2 .
So basically on my pfSense I have a security policy directing the traffic from 1.1.1.1 to 2.2.2.2 through IPSEC (the actual traffic is UDP-encapsulated, btw).
But if I try and ping 2.2.2.2 from a client behind my pfSense installation (ICMP traffic this going through outbound NAT and exiting the firewall having 1.1.1.1 as source address), this traffic does not go through IPSEC, as a traffic capture on the outside interface shows me.
The machine on the other side tries to send answer packets through IPSEC instead (I think).

So basically, ICMP traffic for 2.2.2.2 going through outbound NAT translating the source address to 1.1.1.1 doesn't go through IPSEC encapsulation even though, from what I understand, it should match the SP with those exact source and destination addresses.

I've read somewhere about a FreeBSD/StrongSwan problem related to performing NAT before IPSEC encapsulation but I am not sure whether it's relevant to my case or if it's out-of-date information.
I've tried to understand/debug the flow but I haven't found anything to help me sort out this situation.
On top of that I've found no decent way to trace the flow of the packets involved through the networking stack, although I will admit that I work mostly on Linux platforms and my knowledge of FreeBSD pales in comparison.
Can anyone help me understand this?

Thanks,
Fulvio

Title: Re: Traffic inexplicably not going through IPSEC despite matching SPs
Post by: xinnan on November 06, 2017, 01:30:02 pm

You landed on an opnsense forum.  Did you try the pfsense forum?
You could stand up an opnsense instance and see if the problem persists?
The underlying BSD is different, so you may get better results.

Title: Re: Traffic inexplicably not going through IPSEC despite matching SPs
Post by: trantorvega on November 06, 2017, 02:34:56 pm

Hello xinnan.
I've posted on the pfSense forum as well, as I mentioned early on in the post above.
When you talk about a different underlying BSD, what do you mean? They should both be based upon FreeBSD 11. Are you talking about patches?
About the opnsense instance, I might be able to put one up, but I have a relatively complicated network infrastructure, so it could take time.
I've seen posts on the opnsense forums and github issues mentioning problems with NAT before IPSEC, so I was wondering whether my situation might be similar to those.

Title: Re: Traffic inexplicably not going through IPSEC despite matching SPs
Post by: xinnan on November 06, 2017, 02:39:18 pm

Which version of opnsense are you using?

Title: Re: Traffic inexplicably not going through IPSEC despite matching SPs
Post by: trantorvega on November 06, 2017, 02:43:58 pm

As I said, I don't have an opnsense instance running at the moment

Title: Re: Traffic inexplicably not going through IPSEC despite matching SPs
Post by: xinnan on November 06, 2017, 02:51:25 pm

Its my error.  I was thinking my version of opnsense was still on BSD 10, but looking at my dashboards, you are right. 

Versions   OPNsense 17.7.7_1-amd64
FreeBSD 11.0-RELEASE-p12
OpenSSL 1.0.2l 25 May 2017

2.4.1-RELEASE (amd64)
built on Sun Oct 22 17:26:33 CDT 2017
FreeBSD 11.1-RELEASE-p2

Not sure of the differences between 11.0-RELEASE-p12 and FreeBSD 11.1-RELEASE-p2

Maybe minor.