Skip to main content
jmarin3210
jmarin3210
New Member
July 13, 2021
Question

Cannot connect between pfsense and forti

  • July 13, 2021
  • 1 reply
  • 2902 views

Hi, im trying to connect a pfsense and fortigate over IPsec, the tunnel is up but from my network only accepts first ping and a after that all communication fails, and a few minutes later same situation, first ping goes well but fails after that.

Here is how the logs looks when first ping is successful,

id=20085 trace_id=21 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 192.168.100.25:25564->192.168.7.10:2048) from servers_vlan. type=8, code=0, id=25564, seq=1."
id=20085 trace_id=21 func=init_ip_session_common line=5814 msg="allocate a new session-00950e96"
id=20085 trace_id=21 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.7.10 via ipsec_vpn"
id=20085 trace_id=21 func=fw_forward_handler line=777 msg="Allowed by Policy-35:"
id=20085 trace_id=21 func=ipsecdev_hard_start_xmit line=788 msg="enter IPsec interface-ipsec_vpn"
id=20085 trace_id=21 func=esp_output4 line=927 msg="IPsec encrypt/auth"
id=20085 trace_id=21 func=ipsec_output_finish line=618 msg="send to GATEWAY_WAN via intf-wan1"
id=20085 trace_id=22 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 192.168.7.10:25564->192.168.100.25:0) from ipsec_vpn. type=0, code=0, id=25564, seq=1."
id=20085 trace_id=22 func=resolve_ip_tuple_fast line=5724 msg="Find an existing session, id-00950e96, reply direction"
id=20085 trace_id=22 func=vf_ip_route_input_common line=2581 msg="find a route: flag=04000000 gw-192.168.100.25 via servers_vlan"
id=20085 trace_id=22 func=npu_handle_session44 line=1164 msg="Trying to offloading session from ipsec_vpn to servers_vlan, skb.npu_flag=00000000 ses.state=00010200 ses.npu_state=0x03000000"
id=20085 trace_id=22 func=fw_forward_dirty_handler line=399 msg="state=00010200, state2=00000000, npu_state=03000000"
id=20085 trace_id=23 func=print_pkt_detail line=5644 msg="vd-root:0 received a packet(proto=1, 192.168.100.25:25564->192.168.7.10:2048) from servers_vlan. type=8, code=0, id=25564, seq=2."
id=20085 trace_id=23 func=resolve_ip_tuple_fast line=5724 msg="Find an existing session, id-00950e96, original direction"
id=20085 trace_id=23 func=npu_handle_session44 line=1164 msg="Trying to offloading session from servers_vlan to ipsec_vpn, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x03000000"
id=20085 trace_id=23 func=ip_session_install_npu_session line=343 msg="npu session installation succeeded"
id=20085 trace_id=23 func=fw_forward_dirty_handler line=399 msg="state=00010200, state2=00000000, npu_state=03000400"
id=20085 trace_id=23 func=ipsecdev_hard_start_xmit line=788 msg="enter IPsec interface-ipsec_vpn"
id=20085 trace_id=23 func=esp_output4 line=927 msg="IPsec encrypt/auth"
id=20085 trace_id=23 func=ipsec_output_finish line=618 msg="send to GATEWAY_WAN via intf-wan1"

 

And my policies are same only switch source to destination in the other one

And my static route is

Destination:  Subnet

192.168.7.0/255.255.255.0

Interface: ipsec_pfsense

Administrative Distance: 10

 

What Im doing wrong or there is some config missing?

1 reply

mle2802
Staff
mle2802
Staff
September 25, 2023

Hi @jmarin3210,

Can you collect the debug flow when the ping is dropped? Also, can you please also execute sniffer at the same time ( diag sniffer packet any "host 192.168.7.10 and icmp" 4 0 l ).

Regards,
Minh

Terms & ConditionsAccessibility statement