Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec and traffic blocked leaving the enc0 interface

    IPsec
    2
    3
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lshiry
      last edited by

      I have seen many similar posts on this, but nothing very recently and none seem to have been resolved.

      I am running version 2.4.1.  I have setup IPSec with a Palo Alto on the other end.  Both phase 1 and phase 2 succeed, and pings flow just fine in both directions.  The problem is when we try TCP traffic in either direction.  I currently have a wide open rule on the ipsec interface.  I can see in he logs that packets are allowed going into a hidden interface called enc0, but return packets coming out of enc0 are being blocked by this default rule:

      block out {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"

      I am certain there is no asymmetric routing problem and that I have rules in place that should allow the traffic through the tunnel.  I have tried every rule I can think of in the web console to allow the traffic, including ones that do not keep state.  There is no way for me to specify the enc0 interface in the web console.  I attempted to insert an "allow out enc0" rule in front of the default deny rules, but it does not accept it.  If I remark out the offending default deny out rule, everything works fine.

      Has anyone else experienced this and found a resolution?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        First, undo everything you have done.

        Second, examine which way the connections are being established.

        If they are being established from the other side of the tunnel, the rules to pass the traffic go on the IPsec tab.

        If they are established coming from local hosts, the rules to pass the traffic go on the interface on pfSense the connecting host first hits (ie LAN).

        As long as you haven't messed with the rules (such as turning off keep state), the state for the return traffic is established on the necessary interfaces automatically.

        Look at the states in Firewall > States. Filter on an interesting IP address such as the one making the connection. Attempt a connection and refresh the states.

        What do you see there?

        Packet Capture on IPsec (again filtering on interesting traffic) and try again? Stop the capture and examine. What do you see there?

        Do the same on the local interface (ie LAN).

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • L
          lshiry
          last edited by

          Thanks for the quick reply!

          I have tried wide open (ip any any) rules on both the ipsec interface and the LAN interface, and tested initiating connections in both directions.  It would always allow in to enc0 but "default deny out" of enc0.  I will setup to test again and get some state info and captures on the interfaces and post the results here.  It may take a couple days to get time to do so.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.