Unable to ping remote with IPSec

z4e · May 24, 2023, 10:28am

This is my ipsec.conf

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn g-to-h
        authby=secret
        left=%defaultroute
        leftid=<my_public_ip>
        leftsubnet=10.254.248.0/24
        right=<server_public_ip>
        rightsubnet=10.0.0.0/24
        ike=aes256-sha2_256-modp1024!
        esp=aes256-sha2_256!
        keyexchange=ikev2
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start
        ipsec-interface=yes

This is my ipsec.secrets

<my_public_ip> <server_public_ip> : PSK "key_here"
<server_public_ip> <my_public_ip> : PSK "key_here"

This is my ipsec statusall

Connections:
      g-to-h:  %any...<server_public_ip>  IKEv2, dpddelay=30s
      g-to-h:   local:  [<my_public_ip>] uses pre-shared key authentication
      g-to-h:   remote: [<server_public_ip>] uses pre-shared key authentication
      g-to-h:   child:  10.254.248.0/24 === 10.0.0.0/24 TUNNEL, dpdaction=start
Security Associations (1 up, 0 connecting):
      g-to-h[1]: ESTABLISHED 11 minutes ago, <my_public_ip>[<my_public_ip>]...<server_public_ip>[<server_public_ip>]
      g-to-h[1]: IKEv2 SPIs: 71c6934db0651bd3_i* eed311ab74ffa18c_r, pre-shared key reauthentication in 34 minutes
      g-to-h[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
      g-to-h{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c38c1905_i cce42a5c_o
      g-to-h{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 23352 bytes_o (278 pkts, 381s ago), rekeying in 7 hours
      g-to-h{1}:   10.254.248.0/24 === 10.0.0.0/24

/etc/config/firewall :

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option masq6 '0'
	list network 'lan'
	list network 'dlan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option masq6 '0'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network '4G'
	list masq_dest '!10.0.0.0/24'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISP-ISAKMP'
	option src 'wan'
	option src_port '500'
	option dest_port '500'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src '*'
	option dest_port '500 4500'
	list proto 'all'
	option name 'Allow-IPSec'
	option enabled '1'

config forwarding
	option src 'lan'
	option dest 'wan'

My goal is to be able to ping the range 10.0.0.0/24 but right now nothing happens, any help would be appreciated.

trendy · May 24, 2023, 10:41am

Are you pinging from one lan host to another lan host?
Do the remote lan hosts allow ping from addresses outside of the local net?

z4e · May 24, 2023, 10:58am

Ah that was easy the opnsense instance where I had my IPSec instance running was blocking all traffic, thank you for your input!

system · June 3, 2023, 10:58am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.