IPSEC VPN traffic to remote BINAT network only pings

tadaog

IPSEC VPN traffic to remote BINAT network succeeds to ping remote addresses BINAT'ed, but TCP traffic doesn't flow with pfSense 2.4 (the same configuration works flawlesly with 2.3.2 pfSense).

This problem only occurs if there in a BINAT translation.

For exemplo, if in remote site there is a 192.168.0.0/24 network BINAT'ed to 192.168.72.0/24 for our local side, and there is a 192.168.0.100 server there.

Disparando 192.168.72.100 com 32 bytes de dados:
Resposta de 192.168.72.100: bytes=32 tempo=10ms TTL=126
Resposta de 192.168.72.100: bytes=32 tempo=9ms TTL=126
Resposta de 192.168.72.100: bytes=32 tempo=10ms TTL=126
Resposta de 192.168.72.100: bytes=32 tempo=12ms TTL=126

Estatísticas do Ping para 192.168.72.100:
    Pacotes: Enviados = 4, Recebidos = 4, Perdidos = 0 (0% de
            perda),
Aproximar um número redondo de vezes em milissegundos:
    Mínimo = 9ms, Máximo = 12ms, Média = 10ms

But any other TCP connection cannot be established, for example, if I test for RDP:

[tadaog.XXX6] ➤ telnet 192.168.72.100 3389
Trying 192.168.72.100…
telnet: Unable to connect to remote host: Connection timed out

To illustrate, with pfSense 2.3.2 Release P1 it connects:

[2017-02-10 23:39.29]  ~
[tadaog.XXX6] ➤ telnet 192.168.72.100 3389
Trying 192.168.72.100…
Connected to 192.168.72.100.
Escape character is '^]'.

✘
──────────────────────────────────────────────────────────────

jimp

What do your entries in the states table look like for this traffic?

There are a couple tickets about IPsec states not being handled properly on 2.4 that we're still investigating:

https://redmine.pfsense.org/issues/6937
https://redmine.pfsense.org/issues/7015

tadaog

jimp:

Your floating rule workaround gets the problem temporarily fixed and all requested traffic flows flawlessly!

https://forum.pfsense.org/index.php?topic=117827

It seems related!