IPSec - no RX on one side

ssh88 · October 31, 2022, 11:42am

Hi,
i’m losing my mind and banging my head against the wall for last XXX months. I have failing IPSec connection which works (very) randomly.
When I first configured it it worked for some time without problems - until i rebooted the server. After playing again with configuration and fw rules, it started working again - until the next reboot.

I have two subnets (one VLAN on each router): 192.168.98.0/24 on router A and 192.168.99.0/24 on router B. The interesting thing is that the routers does not ping each other. But the situation is as follows:

when pinging from router A to B: there is Tx counter increasing (ipsec => active peers), but not a single packet is returned. On router B there are both Tx and Rx counters increasing.
when pinging from router B to A: there is Tx counter increasing, but no Rx on both sides. So the packets don’t reach router A.

Tracert returns nothing usable - only timeouts. There is also nothing usable from netwatch (or i don’t know how to use properly).

The configuration has been deleted and done again, from tutarials and from (proven) working configurations i use on two other networks. But there are two diferences:

on side A there is other internet provider that i’m used to working with.
side A has 6 static IP addresses and one dynamic (modem). The modem is configured in bridged mode so there is no NAT traversal.

Thank you and best regards.

Sob · October 31, 2022, 5:12pm

Basically, you have two options:

a) Keep banging your head and hope for the best.
b) Post some actual useful info that someone can work with. Exported configs from both routers and description of things that may not be apparent often leads to success. Known facts so far are only that you have some unknown config and that there seems to be some problem delivering encrypted packets from B to A. I think you may agree that it’s not much.

ssh88 · November 6, 2022, 11:53am

hi,
i’ve forgotten a little about this post … but (hopefully) found a solution - now it is working as it should. the problem was that i am using virtual IP address for IPSec.

router A has 4 (5) ip addresses:
10.0.0.1 (A_IP1)
10.0.0.2 (A_IP2) - the address i use for IPSec traffic
10.0.0.3 (A_IP3)
10.0.0.4 (A_IP4)
and
20.0.0.1 (WAN interface IP - WANIP_A)

router B has one IP address 30.0.0.1 - WANIP_B

after using packet sniffer, i’ve found out the following when doing traceroute from router A to local subnet on B site:
rx WANIP_A => WANIP_B
tx WANIP_B => A_IP2
rx WANIP_A => WANIP_B
tx WANIP_B => A_IP2

which should look like

rx A_IP2 => WANIP_B
tx WANIP_B => A_IP2
rx A_IP2 => WANIP_B
tx WANIP_B => A_IP2

after i did some housekeeping regarding NAT rules and enabling NAT Traversal, the thing works.

Sob · November 6, 2022, 5:11pm

Makes sense. You should have local-address=A_IP2 for peer on router A, and then make sure that srcnat won’t touch any packets from A_IP2.