Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] IPSec traffic does not show in firewall logs

    Scheduled Pinned Locked Moved Firewalling
    14 Posts 3 Posters 7.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD Offline
      Derelict LAYER 8 Netgate
      last edited by

      Do you understand that the IPsec tab firewall rules on each node apply to traffic being RECEIVED from the remote and allowed into the local pf?

      Remote site 1 will need IPsec rules determining what local assets can be accessed by 10.0.0.0/24

      Remote site 2 will need IPsec rules determining what local assets can be accessed by 192.168.1.0/24.  These can be as open or restrictive as you like.

      Pass IPv4 any any any is usually what people do to get it going.  Then they further restrict it to only those local assets the remote network needs to access.

      What traffic is routed INTO and OUT OF IPsec is determined by the Phase 2 entries.  What traffic is allowed from IPsec into pf is determined by the IPSec rules.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • D Offline
        dlogan
        last edited by

        First off, thank you for your reply.  I appreciate any help I can get.

        Do you understand that the IPsec tab firewall rules on each node apply to traffic being RECEIVED from the remote and allowed into the local pf?

        No, this is why I'm here, I have very little experience with VPNs.  So you're saying that when I create the VPN, all outbound traffic is allowed and I just need firewall rules to define what traffic is allowed from the remote sites back to the main site?

        What if I wanted to restrict outbound traffic on the VPN as I do on LAN?  Is this possible?  Would I have to create a Block All rule at the bottom of the list as a catchall?

        Pass IPv4 any any any is usually what people do to get it going.  Then they further restrict it to only those local assets the remote network needs to access.

        Ok, so you think my allow all rule should fix whatever was causing the FTP issues?  It was working before I put the pfSense box in.  Why isn't any of the traffic being logged? Nothing is showing for the IPSec interface at all.  Shouldn't I see something being denied?  I think the Phase 2 negotiations must be correct if I can ping between the hosts?

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          @dlogan:

          No, this is why I'm here, I have very little experience with VPNs.  So you're saying that when I create the VPN, all outbound traffic is allowed and I just need firewall rules to define what traffic is allowed from the remote sites back to the main site?

          What if I wanted to restrict outbound traffic on the VPN as I do on LAN?  Is this possible?  Would I have to create a Block All rule at the bottom of the list as a catchall?

          Not sure on the ASAs.

          In general pfSense firewall rules are applied to traffic coming INTO an interface.  So traffic from IPsec nodes is on the IPsec tab.  If you wanted to restrict traffic from LAN to the remote IPsec network, you would place a rule on LAN.  To me it makes more sense for the remote end to determine what is and is not allowed into the router there (on its IPsec tab, or the ASA rules in this case.)

          There is always a default block any any rule in pfSense.  Traffic not explicitly passed will be blocked.

          Ok, so you think my allow all rule should fix whatever was causing the FTP issues?  It was working before I put the pfSense box in.  Why isn't any of the traffic being logged? Nothing is showing for the IPSec interface at all.  Shouldn't I see something being denied?  I think the Phase 2 negotiations must be correct if I can ping between the hosts?

          Sounds like you should be able to ping in one direction but not the other if you have no rules on your IPsec tab.  FTP in which direction?  There's a diagram in my sig.  If you refer to pfSense A as your pfSense and pfSense C as one of the ASAs we can use it to visualize your network.  It sounds like Host A1 should be able to FTP to Host C1 but C1 to A1 should be blocked absent IPsec rules on A.  I'll have to see what is logged by IPsec rules and when.  I'm pretty much exclusively OpenVPN these days.

          You just have to make sure the phase 2 entries match.  They create the routes but don't pass or block anything.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • D Offline
            dlogan
            last edited by

            I just noticed the IPSec sub-forum, should I have posted this there?

            Anyway,
            Site A - my main site where I put the pfSense router (replaced an ASA)
            Sites B & C - remote sites both still have ASA's.

            FTP is from sites B & C to site A.

            I put an entry in the IPSec firewall rules at Site A to all ANY protocol, from ANY, to ANY just for testing.  I also check the box to log packets matching.

            So far nothing is logged.  I suppose I will need access to the machines in question to do further testing.  I don't know how often the remote hosts attempt to FTP to the Site A host.

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by

              If you feel like it post the IPsec rule screenshot.  That should be all that's necessary provided the ASA rules accommodate what you want to do.

              What you have done will log passes, not rejections.  Rejections will be logged by the default block rule (i think).

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • D Offline
                dlogan
                last edited by

                I know that enabling logging is for Pass traffic, not block.  But I don't see ANY traffic, neither PASS nor BLOCK.  It seems that I should see my ping traffic at least.

                Does the VPN traffic bypass LAN/WAN rules?  If the traffic is matching something allowed from LAN will it not show up under the IPSec interface logs?  I'm confused.

                1 Reply Last reply Reply Quote 0
                • P Offline
                  phil.davis
                  last edited by

                  Connections initiated from site B and C coming in to site A should be logged by that rule (e.g. if the remote site starts an FTP from a server at site A).
                  If you ping from site B or C to site A that should also be logged.
                  But if you ping from site A to site B or C then the logging depends on the rule/s on the site A LAN interface, where the ping originates.

                  You mentioned "the IPSec interface logs" in your text, not sure what you meant there. Make sure you are looking in Status->System Logs, Firewall tab, to see the logged packets.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    dlogan
                    last edited by

                    You mentioned "the IPSec interface logs" in your text, not sure what you meant there. Make sure you are looking in Status->System Logs, Firewall tab, to see the logged packets.

                    Sorry, yes, that's where I'm looking.  I search for any packets that are PASS, I find none.  I search for Block packets from the remote host IP (the host at the remote site that should be initiating the FTP transfer), I find none.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      On which end?  They will only appear on the destination end of the connection where the connections are coming IN from IPsec.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dlogan
                        last edited by

                        Ok, let's just ignore this particular issue until I can get remote access to the machines that are initiating the FTP traffic.  I only have access to the main office right now.  Another admin at the remote site is telling me his host is trying to initiate FTP from their (remote site with ASA) to my host (main site with pfSense).  I see no traffic neither BLOCKED from his hosts's IP, nor any PASSED whatsoever.

                        Here is where I'd like focus this discusstion until I can get remote access to those machines…

                        I do not allow All traffic to pass outbound from LAN as many probably do.  I have it restricted to ICMP echo requests, HTTP, HTTPS, FTP, some email protocols POP, POP/S, IMAP, IMAP/s, SMTP, SMTPS, SUBMISSION maybe a couple of others.

                        While I am pinging across the VPN, I disabled the rule that allows ICMP echo requests from LAN to *.  This stopped the pings across the VPN.  This is why I was asking earlier if IPSec traffic bypassed the WAN/LAN rules.  Obviously it does not.

                        I took the ICMP test a step further, and added a rule in Firewall, Rules, LAN that allows Any protocol to the LAN subnet of the remote networks. Initially, as with all my other LAN rules, under advanced, i have the gateway configured as WAN1toWAN2FAILOVER and a second identical rule with WAN2TOWAN1FAILOVER.  These are failover groups for my multi-wan situation. The rules work for outbound traffic to the world, but for some reason will not work for the VPN traffic.  In order to get it to work for the VPN, I had to leave the gateway as default *.

                        Interestingly enough, the ICMP rules were set to use the failover groups and were working, but all protocols don't work to failover groups for vpn traffic.

                        Hopefully a few screenshots will help clarify what I mean here.

                        All of this is being done from the main site, site A.  I'm RDP'd to a computer there running pings to hosts at both site B and site C.

                        First item, my original rule to allow ICMP echo requests to *, using the failover groups as the gateway:

                        This works when enabled.  I am able to ping hosts at both remote sites.

                        Second item, in this example the ICMP rules above are disabled:

                        This does not work.  I am unable to ping remote hosts.

                        Third item, removed entries using failover groups, added one with default gateway as the default *:

                        This works.  I am able to ping remote hosts.

                        Any ideas on this?

                        I'm assuming that if I need LAN rules to allow traffic through the VPN, then I also need WAN rules to allow the traffic coming back?  If so, how do I make the WAN rules?  Allow the remote public IP?  Or the remote local subnets?  I have the option on WANs to block private networks …is that going to kill me?

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          No.  The only WAN rule you need is for IPsec itself and they are generated automatically when IPsec is enabled on an interface.  Your WAN interface never sees traffic arriving from your remote IPsec networks.  Connections from those networks come in on the "IPsec" tab.

                          I'm pretty sure if you're multi-WAN you need rules ABOVE the rules that send traffic to your failover groups that send VPN traffic to your default gateway.

                          Pass IPv4 any source LAN net dest CannRemoteLANSubnets port any gateway *

                          Then your rules sending all other LAN net traffic to the failover groups.

                          pfSense routes differently when you set gateways in rules and you have to exclude other traffic first.  Sort of like having to exclude your VPN traffic from NAT in the ASAs.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            dlogan
                            last edited by

                            Thank you.  Everything is working now.

                            1 Reply Last reply Reply Quote 0
                            • P Offline
                              phil.davis
                              last edited by

                              The principle here is that a rule that specifies a gateway/group will force the traffic to that gateway/group.
                              For VPNs and other links that have a known set of subnets reachable on the other end, the ordinary routing table knows how to get there - you do not want to force that traffic out some WAN. So put rules on LAN to pass that VPN traffic without specifying a gateway - that traffic will then be routed using the ordinary routing table, which will get it to its destination just fine.
                              Then later rules can specify gateway/groups to send other traffic out whatever combination of WANs you like.

                              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.