Hi there, I'm having a problem sending packets inside a IPSec VPN in a very weird way. Here's the thing:
- Mikrotik (RB4011iGS+) has WAN IP (no nat), LAN is 192.168.200.0/24.
- pfSense has WAN IP (no nat). LAN is 192.168.30.0/24.
- On Mikrotik, VPN tunnel policy is PH2 established (peer, identity, profile, proposal and policy look good, and firewall is accepting traffic from/to the other side LAN)
- On pfSense, VPN tunnel status shows as OK, too, and I've got a Firewall rule for IPSec traffic to be allowed no matter the protocol, source or destination.
...but no traffic is flowing, or better said: traffic in one direction (Mikrotik to pfSense) is never reaching its destination.
For my (most significant) tests, I tcpdump -i enc0 proto ICMP and start pinging form each side, and here comes the weird part:
When pinging from pfSense LAN to Mikrotik LAN (ping 192.168.200.3 from a host at 192.168.30.16) I get this tcpdump on the pfSense host:
So it looks like packets exiting from 30.16 are correctly put inside the tunnel and in fact reach their destination (see next image), but as you can see there's immediately an unexpected "IP12" response.
At 192.168.200.3 (Mikrotik LAN side), packets are received, as tcpdump shows:
As you can see, the ping is correctly received (and replied!) at the host, and now is the turn of the Mikrotik to put these replies inside the tunnel and send them back to 192.168.30.16, but they get stuck at the pfSense side like they are perhaps malformed packets and never reach their destination. If I do the reverse ping (from Mikrotik's LAN side 192.168.200.3 to pfSense's 192.168.30.16) I get these responses (sometimes also IP0 and IP8 and IP bad-hlen 0):
These packets are never passed onto the LAN side of the pfSense hence never reach their destination...
Has anybody ever seen something like this? Anyone can help?
Until now, I've been trying the obvious (update everything, recreate tunnels and rules on both sides, etc, to no avail)... Any new idea really apreciated! thank you!