wan -- pfsense -- Juniper SRX ipsec not working.

Derelict

Post your port forwards and rules. That traffic is obviously not being passed by a firewall rule or a state.

Your NAT rule posted up there had source port 4500. You don't want that. The source port is random.

virtualliquid

I had to re-do the rules since I wiped everything to start fresh. I currently have ESP and AH disabled in the screenshots.

but here is what I got.

NAT Rules
4500

alt text

alt text
and the associated firewall rule.

Nat rule for port 500
alt text

Associated rule for 500
alt text

Konstanti

@virtualliquid
Hey
and what device is trying to connect to Juniper ?
Very strange, src port = 4500 / dst port random (or missing)

virtualliquid

I am not certain of the device on the other end it is one of our large data centers that host multiple vpn concentrators. I would imagine it is just another juniper on the other end as well.

Konstanti

@virtualliquid

Who initiated the connection ?
Little Juniper or big ?
It feels like PF is blocking traffic for the little Juniper that is going back

virtualliquid

took a new capture, same results. just filtered the source ip (office)
Every other one is the source of 4500 going to destination 39727 or some other random port.

alt text

virtualliquid

@konstanti Little Juniper I believe initiates the connection. Since I keep restarting it (Power cycle)

Konstanti

@virtualliquid
Try so
/diagnostics/command prompt/ cat /tmp/rules.debug | grep LAN
and check.
is there a keep state when outputting
for example,

pass in quick on $LAN inet from YOUR__LAN_NET to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule"

virtualliquid

there is a lot of keep states, might need to filter more.

Perhaps this rule ?

pass in quick on $WAN reply-to ( em0 xxx.xxx.xxx.1 ) inet proto { tcp udp } from any to 10.1.4.10 port 4500 tracker 1549481406 keep state label "USER_RULE: NAT Juniper SRX"

Konstanti

@virtualliquid

Are there floating rules ?
For a small Juniper is there a separate rule on the Lan interface ?
If yes , show it
If not , show the rules of the LAN nterface

Konstanti

@virtualliquid

cat /tmp/rules.debug | grep LAN
not WAN !!!
pass in quick on $LAN inet from YOUR__LAN_NET to any tracker 0100000101 keep state
or
pfctl -sr | grep em1
for example,
pass in quick on em1 inet from LAN_NET_IP to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"

virtualliquid

Trying to post the output, but it keeps telling me its spam.

virtualliquid

Best I can do is a picture of the output.

alt text