[Swan] Issue with site-to-site VPN to pfSense

Chris Adams linux at cmadams.net
Tue Oct 5 17:16:44 UTC 2021

I set up a site-to-site VPN to a pfSense system (not under my control).
My side is really straight-forward - it's running on CentOS 8-stream
with libreswan-4.4-1.el8.x86_64.  The config looks like:

conn <name>
	right=<remote IP>
	rightsubnets={remte subnets}

and left/leftsubnets are inherited from conn %default (which is working
for some connections to other remotes, either ASAs or pfSense, not
sure).  I'm just following the Red Hat crypto-policies defaults for
IKEv2, ciphers/hashes, and such.  I enabled ip_forward and disabled
rp_filter (and the Red Hat/CentOS RPM already disables the redirects
with an included sysctl file).

There are 2 subnets on my end and 4 on the remote, so there are 8
connections total.  They'll connect okay, but traffic isn't passing on
most of them.  What's weird is that when I look at "ipsec trafficstatus"
it looks like my test pings are going out the right connection, but the
responses are coming back in a different one (associated with a
different subnet on my end).

/proc/net/xfrm_stat shows XfrmInTmplMismatch incrementing (which I don't
find many Google references to, but would seem to match my thought that
the remote site is sending packets on the "wrong" connection).  If I run
tcpdump on WAN interface, I see the ICMP echo replies from the remote,
so it appears the packets are being received and decrypted (both sides
are RFC1918 space so they're not coming across the Internet), but then
dropped?  It doesn't appear to be firewall related (the remote subnets
are in the local firewalld "trust" zone, plus I turned on firewalld's
log-denied and there weren't drops logged).

Is there something on my end that could cause this, or something I can
tell the pfSense admin to look at or change?  Is there any way to work
around it on my end?
Chris Adams <linux at cmadams.net>

More information about the Swan mailing list