Hi Everyone, I am scratching my head for weeks now on how to get an IPSec Routed VPN site-to-site to work between a pfSense firewall and OpenWRT.
The setup is currently in a LAB environment to avoid issues with my production networks. The config is as follows: ### pfSense ### WAN : 192.168.45.10 IPsec subnet : 10.10.10.1/30 ############### ### Arch Linux ### WAN : 192.168.45.30 IPsec subnet : 10.10.10.2/30 ################# Pings from the pfSense are reaching the Linux system and are received with no errors : ip_vti1: ip/ip remote 192.168.45.10 local 192.168.45.30 ttl inherit nopmtudisc key 42 RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts 47185 3963540 0 0 0 0 TX: Packets Bytes Errors DeadLoop NoRoute NoBufs 0 0 98923 0 98923 0 Pings from the Linux system are being seem as errors NoRoute by the tunnel. I have deleted all the rules added into iptables that marks outgoing packets in the hopes of it getting routed into the VTI interface and get marked and therefore tunneled to the pfSense. Mangle Chain -P PREROUTING ACCEPT -c 1002 86651 -P INPUT ACCEPT -c 920 82059 -P FORWARD ACCEPT -c 0 0 -P OUTPUT ACCEPT -c 847 101821 -P POSTROUTING ACCEPT -c 847 101821 -A PREROUTING -s 192.168.45.10/32 -d 192.168.45.30/32 -p esp -m esp --espspi 3448029224 -c 2871 401940 -j MARK --set-xmark 0x2a/0xffffffff -A PREROUTING -d 10.10.10.0/30 -c 143719 14738388 -j NFLOG --nflog-group 5 -A INPUT -c 337318 30692985 -j NFLOG --nflog-group 6 -A OUTPUT -c 368660 48238051 -j NFLOG --nflog-group 7 -A POSTROUTING -c 368923 48266946 -j NFLOG --nflog-group 8 From my understanding the routes are correct as seen below : [root@arch-linux ~]# ip route get 10.10.10.1 10.10.10.1 dev ip_vti1 src 10.10.10.2 uid 0 cache [root@arch-linux ~]# ip route default via 192.168.45.1 dev ens18 10.10.10.0/30 dev ip_vti1 scope link 192.168.45.0/24 dev ens18 proto kernel scope link src 192.168.45.30 Table 220 has been added but is empty. [root@arch-linux ~]# ip rule 0: from all lookup local 220: from all lookup 220 32766: from all lookup main 32767: from all lookup default My Linux IPSec /etc/swanctl/swanctl.conf 👇 [root@arch-linux ~]# cat /etc/swanctl/swanctl.conf connections { ipseclab { fragmentation = yes unique = replace version = 2 proposals = aes256-sha256-modp2048 dpd_delay = 10s dpd_timeout = 60s rekey_time = 25920s reauth_time = 0s over_time = 2880s rand_time = 2880s encap = no mobike = no local_addrs = 192.168.45.30 remote_addrs = 192.168.45.10 local { id = fqdn:ipsec-lab-openwrt auth = psk } remote { id = fqdn:ipsec-lab-pfsense auth = psk } children { con1 { close_action = start dpd_action = restart policies = no life_time = 3600s rekey_time = 3240s rand_time = 360s start_action = start remote_ts = 0.0.0.0/0 local_ts = 10.10.10.2/30 esp_proposals = aes256gcm128-modp2048 mark_in = 42 mark_out = 42 updown = /root/02.ipsec-log.sh } } } } secrets { ike-0 { secret = e559c752478188f3fca07ab3e5fcd1ff02f5c55574b576920c67c443 id-0 = %any id-1 = fqdn:ipsec-lab-pfsense } } [root@arch-linux ~]# cat /etc/strongswan.conf starter { load_warning = no } charon { install_routes = no install_virtual_ip = no # not in pfSense side. Added from internet tutorials. load_modular = yes # File Logging filelog { charon { # path to the log file, specify this as section name in versions prior to 5.7.0 path = /root/charon.log # add a timestamp prefix time_format = %b %e %T # prepend connection name, simplifies grepping ike_name = yes # overwrite existing files append = no # increase default loglevel for all daemon subsystems #default = -1 app = 4 asn = 4 cfg = 4 chd = 4 dmn = 4 enc = 4 esp = 4 ike = 4 # set to 2 to troubleshoot imc = 4 imv = 4 job = 4 knl = 4 # set to 2 to troubleshoot lib = 4 mgr = 4 net = 4 pts = 4 tls = 4 tnc = 4 # flush each line to disk flush_line = yes } } syslog { identifier = charon # log everything under daemon since it ends up in the same place regardless with our syslog.conf daemon { ike_name = yes app = -1 asn = -1 cfg = -1 chd = -1 dmn = -1 enc = 4 esp = 4 ike = -1 # set to 2 to troubleshoot imc = -1 imv = -1 job = -1 knl = -1 # set to 2 to troubleshoot lib = 4 mgr = -1 net = -1 pts = -1 tls = -1 tnc = -1 } # disable logging under auth so logs aren't duplicated auth { default = -1 # set to 2 for troubleshooting; -1 to supress ike = -1 } } plugins { include strongswan.d/charon/*.conf } } And finally, the status of my IPSec daemon : [root@arch-linux ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.9.3, Linux 5.13.12-arch1-1, x86_64): uptime: 66 minutes, since Aug 30 15:52:11 2021 malloc: sbrk 2965504, mmap 0, used 1061360, free 1904144 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon ldap pkcs11 aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl sqlite attr kernel-netlink resolve socket-default bypass -lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters Listening IP addresses: 192.168.45.30 10.10.10.2 Connections: ipseclab: 192.168.45.30...192.168.45.10 IKEv2, dpddelay=10s ipseclab: local: [ipsec-lab-openwrt] uses pre-shared key authentication ipseclab: remote: [ipsec-lab-pfsense] uses pre-shared key authentication con1: child: 10.10.10.0/30 === 0.0.0.0/0 TUNNEL, dpdaction=restart Shunted Connections: Bypass LAN 10.10.10.0/30: 10.10.10.0/30 === 10.10.10.0/30 PASS Bypass LAN 192.168.45.0/24: 192.168.45.0/24 === 192.168.45.0/24 PASS Bypass LAN ::1/128: ::1/128 === ::1/128 PASS Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS Security Associations (1 up, 0 connecting): ipseclab[2]: ESTABLISHED 66 minutes ago, 192.168.45.30[ipsec-lab-openwrt]...192.168.45.10[ipsec-lab-pfsense] ipseclab[2]: IKEv2 SPIs: e38541185347872a_i* 68249287d7529bd9_r, rekeying in 5 hours ipseclab[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 con1{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c3cf4b91_i c742e267_o con1{2}: AES_GCM_16_256/MODP_2048, 86268 bytes_i, 0 bytes_o, rekeying in 30 minutes con1{2}: 10.10.10.0/30 === 0.0.0.0/0 I have run a tcpdump capture and I can see the ping packet encapsulated but its destination that apparently was generated by IPSec seems incorrect. 5 0.000002 10.10.10.2 >> 10.10.10.2 ICMP 144 Destination unreachable (Host unreachable) Frame 15: 144 bytes on wire (1152 bits), 144 bytes captured (1152 bits) Linux Netfilter NFLOG Family: IPv4 (2) Version: 0 Resource id: 7 TLV Type: NFULA_PACKET_HDR (1), Length: 8 Length: 8 .000 0000 0000 0001 = Type: NFULA_PACKET_HDR (1) HW protocol: IPv4 (0x0800) Netfilter hook: Local out (3) TLV Type: NFULA_PREFIX (10), Length: 5 Length: 5 .000 0000 0000 1010 = Type: NFULA_PREFIX (10) Prefix: TLV Type: NFULA_IFINDEX_OUTDEV (5), Length: 8 Length: 8 .000 0000 0000 0101 = Type: NFULA_IFINDEX_OUTDEV (5) IFINDEX_OUTDEV: 1 TLV Type: NFULA_PAYLOAD (9), Length: 116 Length: 116 .000 0000 0000 1001 = Type: NFULA_PAYLOAD (9) Internet Protocol Version 4, Src: 10.10.10.2, Dst: 10.10.10.2 Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 1 (Host unreachable) Checksum: 0xfcfe [correct] [Checksum Status: Good] Unused: 00000000 Internet Protocol Version 4, Src: 10.10.10.2, Dst: 10.10.10.1 0100 .... = Version: 4 .... 0101 = Header Length: 20 bytes (5) Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT) Total Length: 84 Identification: 0x03e4 (996) Flags: 0x40, Don't fragment Fragment Offset: 0 Time to Live: 64 Protocol: ICMP (1) Header Checksum: 0x0eaf [validation disabled] [Header checksum status: Unverified] Source Address: 10.10.10.2 Destination Address: 10.10.10.1 Internet Control Message Protocol Type: 8 (Echo (ping) request) Code: 0 Checksum: 0x90b7 [unverified] [in ICMP error packet] [Checksum Status: Unverified] Identifier (BE): 45 (0x002d) Identifier (LE): 11520 (0x2d00) Sequence Number (BE): 494 (0x01ee) Sequence Number (LE): 60929 (0xee01) Timestamp from icmp data: Aug 30, 2021 14:51:39.000000000 BST [Timestamp from icmp data (relative): 0.801353000 seconds] Data (48 bytes) Data: 0a17040000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b… [Length: 48] Any help would be appreciated extremely appreciated. Many Thanks !!