• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IPSec outbound traffic being blocked on IPSec interface

2.4 Development Snapshots
11
29
10.5k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bradsm87
    last edited by Sep 4, 2016, 11:24 PM

    Since fresh installing the latest 2.4 build, weird stuff is happening with my IKEv2 mobile client VPN connection.

    The client connects and both the phase 1 and phase 2 connection is up.

    • ICMP traffic works (The mobile client can ping hosts on my LAN)

    • TCP traffic gets blocked outbound on the IPSec interface. I can't connect via SMB or RDP. I can see the traffic being blocked outbound on IPSec in the firewall log.

    I tried an allow all on the IPSec interface and a floating rule for allow all outbound on the IPSec interface and still no luck. It gets blocked and I can see the outbound blocking in the IPSec interface in the logs.

    1 Reply Last reply Reply Quote 0
    • B
      bradsm87
      last edited by Sep 9, 2016, 8:32 AM

      Can anyone confirm this issue?

      1 Reply Last reply Reply Quote 0
      • B
        bradsm87
        last edited by Nov 15, 2016, 3:13 AM

        This is sill an issue. ICMP works but not TCP.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Nov 16, 2016, 2:47 PM

          Confirmed, https://redmine.pfsense.org/issues/6937

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • Y
            ysdtkhr
            last edited by Dec 21, 2016, 1:04 AM

            Hi

            Please let me write about the phenomena reported here.

            Apparently, the same phenomenon occurs not only for mobile communication but also for NAT-T communication.

            In FreeBSD11, the IPsec function was incorporated into the Generic kernel, but NAT-T seems to need a custom kernel

            as usual.

            Please test with custom kernel which added "options IPSEC_NAT_T"

            Thank you

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Dec 21, 2016, 1:40 AM

              Already there.

              : sysctl kern.conftxt | grep IPSEC  
              options IPSEC_NAT_T
              options IPSEC
              

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • Y
                ysdtkhr
                last edited by Dec 22, 2016, 4:52 AM

                I understand that's right.
                I thought it would be useful for solving bugs

                1 Reply Last reply Reply Quote 0
                • W
                  w0w
                  last edited by Dec 26, 2016, 1:34 PM Dec 26, 2016, 1:30 PM

                  Is there a workaround?

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by Dec 26, 2016, 1:34 PM

                    Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • W
                      w0w
                      last edited by Dec 26, 2016, 1:42 PM

                      Thanks jimp! You are the best.

                      1 Reply Last reply Reply Quote 0
                      • W
                        w0203j
                        last edited by Jan 12, 2017, 10:44 PM

                        @jimp:

                        Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.

                        Any idea how to do so? sloppy state how to set this?
                        Also I don't see enc0 only see lan wan and ipsec interface.

                        1 Reply Last reply Reply Quote 0
                        • W
                          w0w
                          last edited by Jan 13, 2017, 3:43 AM Jan 13, 2017, 3:26 AM

                          See attached. This one will be in  Firewall->Rules->Floating->Add/Edit

                          how-to.jpg
                          how-to.jpg_thumb

                          I 1 Reply Last reply Sep 24, 2018, 10:50 AM Reply Quote 0
                          • W
                            w0203j
                            last edited by Jan 13, 2017, 1:11 PM

                            @w0w:

                            See attached. This one will be in  Firewall->Rules->Floating->Add/Edit

                            Thank you so much! It's all working now.

                            Still would be good to see 2.4 working without work around …

                            I 1 Reply Last reply Sep 24, 2018, 9:27 AM Reply Quote 0
                            • S
                              stephenw10 Netgate Administrator
                              last edited by Jan 13, 2017, 6:27 PM

                              Anyone seeing this if you check the states created for traffic across the VPN do you see odd destination IPs?

                              Such as shown here: https://redmine.pfsense.org/issues/7015

                              And if so what type of VPN are you using? Mobile IPSec? NAT-T? Helpful to narrow down the cause here.

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • W
                                w0w
                                last edited by Jan 13, 2017, 6:46 PM

                                Steve, I have mobile IPSEC running.
                                When I looked  at  Diagnostics/States/States, then the first thing that I have found is that I can not select IPSEC as interface just because it's not listed in the drop down menu, but if I select 'all' I see IPSEC in the list  and it's full of odd IP's, there are a lot of them.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  stephenw10 Netgate Administrator
                                  last edited by Jan 15, 2017, 10:40 PM

                                  Yup, I noted that while doing exactly this.  Jimp added it: https://github.com/pfsense/pfsense/commit/c1f1072e147e2b77fc1bbf7d6230267b9d340c83

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • Y
                                    ysdtkhr
                                    last edited by Jan 25, 2017, 7:48 AM

                                    Steve

                                    I'm using on NAT-T

                                    The WAN interface is behind NAT

                                    Written by jimp
                                    –---
                                    Add some very forgiving floating rules outbound on enc0 that allow any TCP flags and use sloppy state.

                                    Registering floating while looking at errors that occur every time you communicate, such as SMB and RDP, was hard work

                                    After enabling System / Advanced / Firewall & NAT / Disable Firewall, VPN communication was done without registering a floating

                                    It is possible because the WAN interface is behind NAT

                                    ysdtkhr

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      stephenw10 Netgate Administrator
                                      last edited by Feb 5, 2017, 12:19 PM

                                      Yes, this does seem to be caused by or a symptom of the WAN being behind NAT.

                                      Progress on this will be reported on the bug: https://redmine.pfsense.org/issues/7015

                                      Steve

                                      1 Reply Last reply Reply Quote 0
                                      • W
                                        w0w
                                        last edited by Mar 4, 2017, 8:04 PM

                                        Looks like it fixed on latest snapshot.

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          stephenw10 Netgate Administrator
                                          last edited by Mar 5, 2017, 1:36 PM

                                          Great, thanks for the feedback.  :)

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.