Community discussions

MikroTik App
just joined
Topic Author
Posts: 2
Joined: Sun May 11, 2014 12:22 am

IPSec broken on v7.1beta2 to pfSense latest

Sat Oct 24, 2020 6:23 pm

Hi there, I'm having a problem sending packets inside a IPSec VPN in a very weird way. Here's the thing:

- Mikrotik (RB4011iGS+) has WAN IP (no nat), LAN is
- pfSense has WAN IP (no nat). LAN is
- On Mikrotik, VPN tunnel policy is PH2 established (peer, identity, profile, proposal and policy look good, and firewall is accepting traffic from/to the other side LAN)
- On pfSense, VPN tunnel status shows as OK, too, and I've got a Firewall rule for IPSec traffic to be allowed no matter the protocol, source or destination.

...but no traffic is flowing, or better said: traffic in one direction (Mikrotik to pfSense) is never reaching its destination.

For my (most significant) tests, I tcpdump -i enc0 proto ICMP and start pinging form each side, and here comes the weird part:

When pinging from pfSense LAN to Mikrotik LAN (ping from a host at I get this tcpdump on the pfSense host:
So it looks like packets exiting from 30.16 are correctly put inside the tunnel and in fact reach their destination (see next image), but as you can see there's immediately an unexpected "IP12" response.

At (Mikrotik LAN side), packets are received, as tcpdump shows:
As you can see, the ping is correctly received (and replied!) at the host, and now is the turn of the Mikrotik to put these replies inside the tunnel and send them back to, but they get stuck at the pfSense side like they are perhaps malformed packets and never reach their destination. If I do the reverse ping (from Mikrotik's LAN side to pfSense's I get these responses (sometimes also IP0 and IP8 and IP bad-hlen 0):
These packets are never passed onto the LAN side of the pfSense hence never reach their destination...

Has anybody ever seen something like this? Anyone can help?
Until now, I've been trying the obvious (update everything, recreate tunnels and rules on both sides, etc, to no avail)... Any new idea really apreciated! thank you!

You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Baidu [Spider] and 6 guests