IPSec outbound traffic being blocked on IPSec interface
-
Since fresh installing the latest 2.4 build, weird stuff is happening with my IKEv2 mobile client VPN connection.
The client connects and both the phase 1 and phase 2 connection is up.
-
ICMP traffic works (The mobile client can ping hosts on my LAN)
-
TCP traffic gets blocked outbound on the IPSec interface. I can't connect via SMB or RDP. I can see the traffic being blocked outbound on IPSec in the firewall log.
I tried an allow all on the IPSec interface and a floating rule for allow all outbound on the IPSec interface and still no luck. It gets blocked and I can see the outbound blocking in the IPSec interface in the logs.
-
-
Can anyone confirm this issue?
-
This is sill an issue. ICMP works but not TCP.
-
Confirmed, https://redmine.pfsense.org/issues/6937
-
Hi
Please let me write about the phenomena reported here.
Apparently, the same phenomenon occurs not only for mobile communication but also for NAT-T communication.
In FreeBSD11, the IPsec function was incorporated into the Generic kernel, but NAT-T seems to need a custom kernel
as usual.
Please test with custom kernel which added "options IPSEC_NAT_T"
Thank you
-
Already there.
: sysctl kern.conftxt | grep IPSEC options IPSEC_NAT_T options IPSEC -
I understand that's right.
I thought it would be useful for solving bugs -
Is there a workaround?
-
Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.
-
Thanks jimp! You are the best.
-
Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.
Any idea how to do so? sloppy state how to set this?
Also I don't see enc0 only see lan wan and ipsec interface. -
See attached. This one will be in Firewall->Rules->Floating->Add/Edit
-
@w0w:
See attached. This one will be in Firewall->Rules->Floating->Add/Edit
Thank you so much! It's all working now.
Still would be good to see 2.4 working without work around …
-
Anyone seeing this if you check the states created for traffic across the VPN do you see odd destination IPs?
Such as shown here: https://redmine.pfsense.org/issues/7015
And if so what type of VPN are you using? Mobile IPSec? NAT-T? Helpful to narrow down the cause here.
Steve
-
Steve, I have mobile IPSEC running.
When I looked at Diagnostics/States/States, then the first thing that I have found is that I can not select IPSEC as interface just because it's not listed in the drop down menu, but if I select 'all' I see IPSEC in the list and it's full of odd IP's, there are a lot of them. -
Yup, I noted that while doing exactly this. Jimp added it: https://github.com/pfsense/pfsense/commit/c1f1072e147e2b77fc1bbf7d6230267b9d340c83
Steve
-
Steve
I'm using on NAT-T
The WAN interface is behind NAT
Written by jimp
–---
Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.Registering floating while looking at errors that occur every time you communicate, such as SMB and RDP, was hard work
After enabling System / Advanced / Firewall & NAT / Disable Firewall, VPN communication was done without registering a floating
It is possible because the WAN interface is behind NAT
ysdtkhr
-
Yes, this does seem to be caused by or a symptom of the WAN being behind NAT.
Progress on this will be reported on the bug: https://redmine.pfsense.org/issues/7015
Steve
-
Looks like it fixed on latest snapshot.
-
Great, thanks for the feedback. :)
Steve