IPSec One Way Communication… Sorta

borsaid · Dec 9, 2016, 5:04 AM

This has been driving me bananas… any tips on where I should be looking would be awesome!

Site A and Site B are linked with an IPSec VPN. The tunnel establishes and holds reliably. Site A can ping or access any device at Site B without any hesitation or hiccup. Site B can't ping or access Site A. I've tried pinging from pfSense to pfSense as well as from a device within Site B to a device within Site A.

Here's where things get wonky. If I ping a device from Site A to Site B, for the next 1-4 minutes Site B is able to access Site A without any problems. If I stop pinging or otherwise sending data from Site A to Site B for longer than 1-4 minutes, I'll stop being able to ping Site A from Site B. That is, until I open up the dialogue again from Site A first.
I've setup a Site A system to send a ping every second to Site B. The tunnel has remained completely stable for days with that ping running. I stopped the ping, waited 5 minutes, and was unable to access Site A from Site B.

During this whole exercise, the VPN tunnel never gets disconnected.

Site A has a dozen other IPSec tunnels coming into it that do not carry the same symptoms. Everything works as intended with those.
Site A and Site B are both running pfSense 2.3.2. Both have DPD configured and both are set to ping a device on the other network in the P2 config. I've tried messing with tons of the VPN configuration variables without any luck. No matter how I connect the IPSec tunnel, the symptoms persist.

I feel like I'm missing something trivial...

Derelict · Dec 9, 2016, 5:10 AM

If I ping a device from Site A to Site B, for the next 1-4 minutes Site B is able to access Site A without any problems.

Please define access as used in that sentence.

Firewall rules on Site A's IPsec tab?

borsaid · Dec 9, 2016, 5:14 AM

Please define access as used in that sentence.

Firewall rules on Site A's IPsec tab?

Access = Ping, VEEAM backups, pretty much anything I've thrown at it.

Site B IPSec firewall rules are wide open any to any.

Site A IPSec firewall rules limit what remote networks can access down to a handful of devices.

Keep in mind the other dozen or so tunnels are beholden to the same rules at Site A and have no issue getting to the allowed devices at any time.

Derelict · Dec 9, 2016, 5:34 AM

Well, if the other tunnels are working then you have to find out what's different about this one.

You're probably going to have to post screen shots of what you have done, not descriptions of what you think you have done.

Be as specific as possible including the specific IP addresses on each side.

LAN rules on both sides.

IPsec rules on both sides.

borsaid · Dec 9, 2016, 6:05 AM

Thank you. I was hoping to avoid that for now and get some hunches of where I should be looking. Posting configs would require me to sanitize and whatnot.

borsaid · Dec 10, 2016, 12:05 AM

Thank you so much for your help.

I kept cracking away at this and found my problem was with an ANY to ANY block rule on the WAN interface at Site A. Turns out there was another tunnel with the same symptoms, which helped point my finger at Site A.

Any idea why that (redundant) block rule on the WAN interface would have caused these symptoms?

Derelict · Dec 10, 2016, 7:51 AM

Without actually seeing the rule? No. But this is a guess:

The automatic rules the system places to pass IPsec traffic (UDP 500 & 4500 and ESP) do not have quick set so they can be overridden by a block rule on WAN. If you did not trust the default block rule and placed your own on LAN it is likely you were blocking the ESP traffic and it is also likely that site A had to be the initiator.

If you want to manually block any any on WAN you would also be responsible for manually passing IPsec traffic. The same would be true if you checked Disable Auto-added VPN rules in System > Advanced, Firewall & NAT.

When site A had traffic for site B a state was established that would enable two-way traffic. If that state expired site B could not establish a connection to site A because it was blocked there.

borsaid · Dec 12, 2016, 3:30 PM

Thanks again, your explanation makes a lot of sense and matches up against my symptoms and config.

I've been working a lot with MikroTiks which require manually setting block rules. When I didn't see the block rules in the pfSense GUI, I was just filling them in. That's my excuse and I'm sticking with it! Thanks again.