Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec outbound traffic being blocked on IPSec interface

    2.4 Development Snapshots
    11
    29
    10.5k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bradsm87
      last edited by

      Since fresh installing the latest 2.4 build, weird stuff is happening with my IKEv2 mobile client VPN connection.

      The client connects and both the phase 1 and phase 2 connection is up.

      • ICMP traffic works (The mobile client can ping hosts on my LAN)

      • TCP traffic gets blocked outbound on the IPSec interface. I can't connect via SMB or RDP. I can see the traffic being blocked outbound on IPSec in the firewall log.

      I tried an allow all on the IPSec interface and a floating rule for allow all outbound on the IPSec interface and still no luck. It gets blocked and I can see the outbound blocking in the IPSec interface in the logs.

      1 Reply Last reply Reply Quote 0
      • B
        bradsm87
        last edited by

        Can anyone confirm this issue?

        1 Reply Last reply Reply Quote 0
        • B
          bradsm87
          last edited by

          This is sill an issue. ICMP works but not TCP.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Confirmed, https://redmine.pfsense.org/issues/6937

            Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • Y
              ysdtkhr
              last edited by

              Hi

              Please let me write about the phenomena reported here.

              Apparently, the same phenomenon occurs not only for mobile communication but also for NAT-T communication.

              In FreeBSD11, the IPsec function was incorporated into the Generic kernel, but NAT-T seems to need a custom kernel

              as usual.

              Please test with custom kernel which added "options IPSEC_NAT_T"

              Thank you

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Already there.

                : sysctl kern.conftxt | grep IPSECĀ  
                options IPSEC_NAT_T
                options IPSEC
                

                Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • Y
                  ysdtkhr
                  last edited by

                  I understand that's right.
                  I thought it would be useful for solving bugs

                  1 Reply Last reply Reply Quote 0
                  • w0wW
                    w0w
                    last edited by

                    Is there a workaround?

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.

                      Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • w0wW
                        w0w
                        last edited by

                        Thanks jimp! You are the best.

                        1 Reply Last reply Reply Quote 0
                        • W
                          w0203j
                          last edited by

                          @jimp:

                          Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.

                          Any idea how to do so? sloppy state how to set this?
                          Also I don't see enc0 only see lan wan and ipsec interface.

                          1 Reply Last reply Reply Quote 0
                          • w0wW
                            w0w
                            last edited by

                            See attached. This one will be inĀ  Firewall->Rules->Floating->Add/Edit

                            how-to.jpg
                            how-to.jpg_thumb

                            I 1 Reply Last reply Reply Quote 0
                            • W
                              w0203j
                              last edited by

                              @w0w:

                              See attached. This one will be inĀ  Firewall->Rules->Floating->Add/Edit

                              Thank you so much! It's all working now.

                              Still would be good to see 2.4 working without work around …

                              I 1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                Anyone seeing this if you check the states created for traffic across the VPN do you see odd destination IPs?

                                Such as shown here: https://redmine.pfsense.org/issues/7015

                                And if so what type of VPN are you using? Mobile IPSec? NAT-T? Helpful to narrow down the cause here.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • w0wW
                                  w0w
                                  last edited by

                                  Steve, I have mobile IPSEC running.
                                  When I lookedĀ  atĀ  Diagnostics/States/States, then the first thing that I have found is that I can not select IPSEC as interface just because it's not listed in the drop down menu, but if I select 'all' I see IPSEC in the listĀ  and it's full of odd IP's, there are a lot of them.

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    Yup, I noted that while doing exactly this.Ā  Jimp added it: https://github.com/pfsense/pfsense/commit/c1f1072e147e2b77fc1bbf7d6230267b9d340c83

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      ysdtkhr
                                      last edited by

                                      Steve

                                      I'm using on NAT-T

                                      The WAN interface is behind NAT

                                      Written by jimp
                                      –---
                                      Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.

                                      Registering floating while looking at errors that occur every time you communicate, such as SMB and RDP, was hard work

                                      After enabling System / Advanced / Firewall & NAT / Disable Firewall, VPN communication was done without registering a floating

                                      It is possible because the WAN interface is behind NAT

                                      ysdtkhr

                                      1 Reply Last reply Reply Quote 0
                                      • stephenw10S
                                        stephenw10 Netgate Administrator
                                        last edited by

                                        Yes, this does seem to be caused by or a symptom of the WAN being behind NAT.

                                        Progress on this will be reported on the bug: https://redmine.pfsense.org/issues/7015

                                        Steve

                                        1 Reply Last reply Reply Quote 0
                                        • w0wW
                                          w0w
                                          last edited by

                                          Looks like it fixed on latest snapshot.

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10S
                                            stephenw10 Netgate Administrator
                                            last edited by

                                            Great, thanks for the feedback.Ā  :)

                                            Steve

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.