<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div>Hi,</div><div><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class="" lang="en"><span class="hps">I have</span> <span class="hps">an environment</span> <span class="hps">with</span> <span class="hps">pfsense</span> <span class="hps">vpn</span> <span class="hps">strongSwan</span> <span class="hps">2.0.1</span> <span class="hps">and</span> <span class="hps">version 4.3.2</span><span>.</span> <span class="hps">The</span> <span class="hps">vpn</span> <span class="hps">is</span> <span class="hps">closed</span> <span class="hps">as</span> <span class="hps">output</span> <span class="hps">commands below</span><span>.</span></span></div><div style="color: rgb(0, 0, 0); font-size:
16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class="" lang="en"><span>root@hc-fw-01:~# ipsec statusall<br>000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):<br>000 interface lo/lo ::1:500<br>000 interface lo/lo 127.0.0.1:500<br>000 interface eth0/eth0 xxx.xxx.xxx.xxx:500<br>000 interface eth0:1/eth0:1 xxx.xxx.xxx.xxx:500<br>000 interface eth0:2/eth0:2 xxx.xxx.xxx.xxx:500<br>000 interface eth1/eth1 192.168.1.254:500<br>000 %myid = (none)<br>000 loaded plugins: curl ldap random pubkey openssl hmac gmp<br>000 debug options: raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore<br>000<br>000 "pfsense_ic":
192.168.1.0/24===xxx.xxx.xxx.xxx...yyy.yyy.yyy.yyy===192.168.2.0/24; erouted; eroute owner: #2<br>000 "pfsense_ic": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 0<br>000 "pfsense_ic": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0;<br>000 "pfsense_ic": newest ISAKMP SA: #1; newest IPsec SA: #2;<br>000 "pfsense_ic": IKE proposal: 3DES_CBC/HMAC_MD5/MODP_1024<br>000 "pfsense_ic": ESP proposal: 3DES_CBC/HMAC_SHA1/<Phase1><br>000<br>000 #2: "pfsense_ic" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 27315s; newest IPSEC; eroute owner<br>000 #2: "pfsense_ic" esp.ed55fa3@yyy.yyy.yyy.yyy (17910 bytes, 5s ago) esp.5cfa7de3@xxx.xxx.xxx.xxx (0 bytes); tunnel<br>000 #1: "pfsense_ic" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27314s; newest ISAKMP<br>000<br>root@hc-fw-01:~#<br></span></span></div><div
style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class="" lang="en"><span class="hps">But</span> <span class="hps">when I try to</span> <span class="hps">run the command</span> <span class="hps atn">"</span><span class="">ping</span><span class="">"</span> <span class="hps">from the network</span> <span class="hps">192.168.1.0/24 to</span> <span class="hps">192.168.2.0/24</span> <span class="hps">network</span> <span class="hps">not</span> <span class="hps">get</span> <span class="hps">connectivity</span><span>.</span> <span class="hps">The following</span> <span class="hps">command output</span><span class="">
.</span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">"ip -s xfrm policy list"<br><br>root@hc-fw-01:~# ip -s xfrm policy list<br>src 192.168.1.0/24 dst 192.168.2.0/24 uid 0<br> dir out action allow index 6225 priority 2344 share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard
0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2012-08-22 09:10:07 use 2012-08-22 09:36:07<br> tmpl src xxx.xxx.xxx.xxx dst yyy.yyy.yyy.yyy<br> proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>src 192.168.2.0/24 dst 192.168.1.0/24 uid 0<br> dir
fwd action allow index 6218 priority 2344 share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2012-08-22 09:10:07 use -<br> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br> proto esp spi
0x00000000(0) reqid 16385(0x00004001) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>src 192.168.2.0/24 dst 192.168.1.0/24 uid 0<br> dir in action allow index 6208 priority 2344 share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard
0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2012-08-22 09:10:07 use -<br> tmpl src yyy.yyy.yyy.yyy dst xxx.xxx.xxx.xxx<br> proto esp spi 0x00000000(0) reqid 16385(0x00004001) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size:
16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class="" lang="en"><span class="hps">Another</span> <span class="hps">item</span> <span class="hps">I noticed</span> <span class="hps">in the command output</span> <span class="hps">was the</span> <span class="hps">following excerpt</span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span class="hps"></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class=""
lang="en"><span class="hps">src 0.0.0.0/0 dst 0.0.0.0/0 uid 0<br> dir 3 action allow index 6099 priority 0 share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2012-08-22 09:07:34 use -</span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new
roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span class="hps"></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class="" lang="en"><span class="hps">Because I have</span> <span class="hps">such a connection</span> <span class="hps">to and from</span> <span class="hps">0.0.0.0</span><span class="">?</span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span class=""></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class=""
lang="en"><span class="hps">Another item that</span> <span class="hps">was</span> <span class="hps">analyzed</span> <span class="hps">in</span> <span class="hps">the value</span> <span class="hps">SPI</span> <span class="hps">2 hosts</span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span class="hps"></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span class="hps"></span></span></div><table class="tabcont sortable" border="0" cellpadding="6" cellspacing="0" width="100%"><thead><tr><td class="listhdrr sorttable_sorted" nowrap="nowrap">Source<span id="sorttable_sortfwdind"> ▾</span></td>
<td class="listhdrr" nowrap="nowrap">Destination</td>
<td class="listhdrr" nowrap="nowrap">Protocol</td>
<td class="listhdrr" nowrap="nowrap">SPI</td>
<td class="listhdrr" nowrap="nowrap">Enc. alg.</td>
<td class="listhdr" nowrap="nowrap">Auth. alg.</td>
<td class="listhdr" nowrap="nowrap">Data</td>
<td class="list" nowrap="nowrap"><br></td>
</tr></thead>
<tbody>
<tr>
<td class="listlr">yyy.yyy.yyy.yyy</td>
<td class="listr">xxx.xxx.xxx.xxx</td>
<td class="listr">ESP</td>
<td style="font-weight: bold;" class="listr">5cfa7de3</td>
<td class="listr">3des-cbc</td>
<td class="listr">hmac-sha1</td>
<td class="listr">111672 B</td>
<td class="list" nowrap="nowrap">
<a href="https://177.4.169.167/diag_ipsec_sad.php?act=del&src=177.4.169.167&dst=189.31.140.211&proto=esp&spi=0x5cfa7de3">
<img src="https://177.4.169.167/themes/pfsense_ng/images/icons/icon_x.gif" border="0" height="17" width="17">
</a>
</td>
</tr><tr>
<td class="listlr">xxx.xxx.xxx.xxx</td>
<td class="listr">yyy.yyy.yyy.yyy</td>
<td class="listr">ESP</td>
<td style="font-weight: bold;" class="listr">0ed55fa3</td>
<td class="listr">3des-cbc</td>
<td class="listr">hmac-sha1</td>
<td class="listr">111835 B</td>
<td class="list" nowrap="nowrap">
<a href="https://177.4.169.167/diag_ipsec_sad.php?act=del&src=189.31.140.211&dst=177.4.169.167&proto=esp&spi=0x0ed55fa3">
<img src="https://177.4.169.167/themes/pfsense_ng/images/icons/icon_x.gif" border="0" height="17" width="17">
</a>
</td>
</tr><tr>
<td class="listlr">xxx.xxx.xxx.xxx</td>
<td class="listr">yyy.yyy.yyy.yyy</td>
<td class="listr">ESP</td>
<td style="font-weight: bold;" class="listr">05fe6cf8</td>
<td class="listr">3des-cbc</td>
<td class="listr">hmac-sha1</td>
<td class="listr">0 B</td>
<td class="list" nowrap="nowrap">
<a href="https://177.4.169.167/diag_ipsec_sad.php?act=del&src=189.31.140.211&dst=177.4.169.167&proto=esp&spi=0x05fe6cf8">
<img src="https://177.4.169.167/themes/pfsense_ng/images/icons/icon_x.gif" border="0" height="17" width="17">
</a>
</td>
</tr></tbody><tfoot></tfoot></table>
<div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">root@hc-fw-01:~# ip xfrm monitor<br>Async event (0x10) replay update<br> src 177.4.169.167 dst 189.31.140.211 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0x5cfa7de3</span><br>Async event (0x10) replay update<br> src 189.31.140.211 dst 177.4.169.167 reqid 0x4001 protocol esp SPI<span style="font-weight: bold;">
0xed55fa3</span><br>Async event (0x20) timer expired<br> src 189.31.140.211 dst 177.4.169.167 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0xed55fa3</span><br>Async event (0x20) timer expired<br> src 177.4.169.167 dst 189.31.140.211 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0x5cfa7de3</span><br>Async event (0x10) replay update<br> src 189.31.140.211 dst 177.4.169.167 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0xed55fa3</span><br>Async event (0x20) timer expired<br> src 177.4.169.167 dst 189.31.140.211 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0x5cfa7de3</span><br>Async event (0x20) timer
expired<br> src 189.31.140.211 dst 177.4.169.167 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0xed55fa3</span><br>Async event (0x20) timer expired<br> src 177.4.169.167 dst 189.31.140.211 reqid 0x4001 protocol esp SPI<span style="font-weight: bold;"> 0x5cfa7de3</span><br>Async event (0x20) timer expired<br> src 189.31.140.211 dst 177.4.169.167 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0xed55fa3</span><br>Async event (0x20) timer expired<br> src 177.4.169.167 dst 189.31.140.211 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0x5cfa7de3</span><br>Async event (0x20) timer expired<br> src 189.31.140.211
dst 177.4.169.167 reqid 0x4001 protocol esp SPI <span style="font-weight: bold;">0xed55fa3</span><br>Async event (0x20) timer expired<br><br><span id="result_box" class="" lang="en"><span class=""></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span class=""></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;">Any Idea?</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style:
normal;">Regards</div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><br><span id="result_box" class="" lang="en"><span class=""></span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: times new roman,new york,times,serif; background-color: transparent; font-style: normal;"><span id="result_box" class="" lang="en"><span class=""><br></span></span></div></div></body></html>