FTP via ipsec working one way but not the other



  • I appreciate FTP is no longer recommended, but I have a need to use it across a VPN between two internal networks.

    I have an established site to site ipsec.  I am having troubling accessing an FTP Server on the remote end from my client which sits behind pf.

    FTP from the remote end toward my client's FTP Server works fine after adding a rule under fw -> ipsec to allow the remote IP to ftp to my client ip, and then adding a rule to allow port 20 from my local client to the remote under my LAN interface.  (attached screenshots 1 + 2)

    However, when I try to ftp to the remote side from my client, it shows 'connected to <ip>' and stops there.

    I do have the FTP_Client_Proxy 0.3_2 installed, and tested with my client as Windows command ftp, filezilla and Linux in active and passive modes.

    I'm not seeing anything in my firewall logs.

    Checking on the states, I see an established connection from my LAN interface to the remote (for the outbound connection), but then notice a Syn_Sent:Closed on my WAN interface (See screenshot 3), which is probably where the problem lies but I don't understand…

    What am I doing wrong or what is missing that is causing this return connection from the WAN address?

    Thanks,





    </ip>



  • Haven't yet worked this out…

    Any ideas why the reply to the initial FTP request has a source IP of the physical IP on my WAN Interface?  To the internet, the ISP NATs this to a global IP, but this isn't relevant I believe

    State of this reply:

    WAN -- tcp -- <wan ip="">:42390 --> <remote ftp="" server="" ip="" across="" vpn="">:21 -- SYN_SENT:CLOSED</remote></wan>