IPSec firewall rules, supposedly automatic, yet I seem to need to add them…



  • I've been having a hell of a time setting up a remote access IPSec IKEv2 VPN, but have it sorta working now…

    The pfsense book says:

    "When an IPsec tunnel is configured pfSense automatically adds hidden firewall rules to allow UDP ports 500 and 4500, and the ESP protocol from the Remote gateway IP address destined to the Interface IP address specified in the tunnel configuration. When mobile client support is enabled the same firewall rules are added except with the source set to any. To override the automatic addition of these rules, check Disable all auto-added VPN rules under System > Advanced on the Firewall/NAT tab. When that box is checked, firewall rules must be manually added for UDP 500, UDP 4500, and ESP to the appropriate WAN interface."

    I've confirmed that "Disable Auto-added VPN rules" is unchecked.

    But these automatic rules don't seem to be working, or don't exist, or something.

    If I add WAN rule passing my phone IP + IPv4 + any protocol, then I can connect to my VPN.  If I disable that rule (and make no other changes), then I can't connect to my VPN.

    Are those docs current?  Should there be automatic rules?  If so, how do I debug them?

    Thanks,

    Sean


  • Rebel Alliance Developer Netgate

    The docs are current and the rules are still made.

    They do go at the end of the ruleset though, so if you have something silly like a manual "block all" rule then it could prevent them from being hit.

    Check in /tmp/rules.debug and look for the "# VPN Rules" section.

    They are ordered that way so your manual rules can override the automatic VPN rules if you want. But if you have something else that is blocking too much traffic they'd never be hit.