wan -- pfsense -- Juniper SRX ipsec not working.
-
I had to re-do the rules since I wiped everything to start fresh. I currently have ESP and AH disabled in the screenshots.
but here is what I got.
NAT Rules
4500
and the associated firewall rule.
Nat rule for port 500
Associated rule for 500
-
@virtualliquid
Hey
and what device is trying to connect to Juniper ?
Very strange, src port = 4500 / dst port random (or missing) -
I am not certain of the device on the other end it is one of our large data centers that host multiple vpn concentrators. I would imagine it is just another juniper on the other end as well.
-
Who initiated the connection ?
Little Juniper or big ?
It feels like PF is blocking traffic for the little Juniper that is going back -
took a new capture, same results. just filtered the source ip (office)
Every other one is the source of 4500 going to destination 39727 or some other random port.
-
@konstanti Little Juniper I believe initiates the connection. Since I keep restarting it (Power cycle)
-
@virtualliquid
Try so
/diagnostics/command prompt/ cat /tmp/rules.debug | grep LAN
and check.
is there a keep state when outputting
for example,pass in quick on $LAN inet from YOUR__LAN_NET to any tracker 0100000101 keep state label "USER_RULE: Default allow LAN to any rule"
-
there is a lot of keep states, might need to filter more.
Perhaps this rule ?
pass in quick on $WAN reply-to ( em0 xxx.xxx.xxx.1 ) inet proto { tcp udp } from any to 10.1.4.10 port 4500 tracker 1549481406 keep state label "USER_RULE: NAT Juniper SRX"
-
- Are there floating rules ?
- For a small Juniper is there a separate rule on the Lan interface ?
If yes , show it
If not , show the rules of the LAN nterface
-
cat /tmp/rules.debug | grep LAN
not WAN !!!
pass in quick on $LAN inet from YOUR__LAN_NET to any tracker 0100000101 keep state
or
pfctl -sr | grep em1
for example,
pass in quick on em1 inet from LAN_NET_IP to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule" -
Trying to post the output, but it keeps telling me its spam.
-
Best I can do is a picture of the output.
