[almost solved] udp/500 not passing the firewall since change of WAN connection



  • Hi everybody,

    since the update to 2.3.1_5 an internal AirfyHotSpot-Router (https://s3.amazonaws.com/airfy-static/airfy_Instructions.pdf ) cannot establish IPsec connection through the firewall anymore. I'm banging my head against the wall for 2 days now :(.

    In the firewall logs I can see it`s tcp/443 and udp/53 packets, but not udp/500, udp/4500.

    I've read https://doc.pfsense.org/index.php/Cisco_VPN_pass_through_not_working_when_behind_pfSense and several forum threads. Which means I set outbound NAT to manual and disabled any ISAKMP NAT rules.

    Anyhow I don´t see any packets in the log. I really appreciate any idea for further ways of debugging.

    Many thanks,
    Christian



  • Are you sure nothing else has changed?

    I've been setting up pfSense in various scenarios and also came across a point when my CISCO VPN was not working.  Turned out to be the 'Deterministic Network Enhancer' no longer checked in the nic configuration.

    Had another similar issue when installing the latest beta of Nmap, with the addition of the ncap driver.  Solved by uninstalling and re-installing a stable version.

    I can confirm I have CISCO VPN working on v2.3.1_p5.

    I would assume if you are not seeing the packets in the FW, they are being passed?

    Apologies if this info isn't relevant.



  • many thanks for the response!

    I made the update to 2.3.1_5 while changing the WAN interface. It was a PPPoE-DSL-Connection before, now the pfsense receives a an static IP via DHCP from a cable modem. I tested it  with plugging back the PPPoE-Connection -> same result  :(.

    If I directly plug the airfy router to the cable modem, it can establish an IPsec connection.So I guess the packets go out from that device, yes.

    What can I do to further debug this problem ?



  • If I route the subnet's traffic to the former PPPoE WAN connection (firewall rule, gateway set in advanced settings) it works + I also see the traffic in the firewall log.

    So there must be a problem with the cable WAN connection :) Maybe traffic blocked or double NAT, I will contact the ISP.

    Just for my personal technical understanding:
    Why can´t I see the udp/500 traffic passing the firewall, if there is a problem at the WAN site (e.g. NAT).



  • Have you enabled the CISCO unity feature? - I think Chris had made a comment about this already.

    You don't see this traffic when you do a packet capture on your interfaces directly from pfsense?


Log in to reply