AT&T vpn client not abble to connect
-
Hi all,
I have a strange vpn passthrough issue.
AT&T vpn client is not able to connect behind my pfsense firewall.
I believe those are the ports to be forwarded both in and out:
I believe the following ports need to be forwarded both in and out of the firewall:ESP, TCP 50
AH, TCP 51
ISAKMP, UDP 500
PPTP, TCP 1723On pfsense I use NAT Outbount set as : Automatic outbound NAT rule generation. (IPsec passthrough included)
Also in the firewall logs if I filer for the source (client address in the localnetwork) + blocked i got nothing.
I also attached the pcap file where the local client has 172.16.10.19Is there something i miss?
thank you.
-
ESP, TCP 50
AH, TCP 51Errr, these are not TCP ports. Those are protocol numbers. (And not really sure what are you trying to do with PPTP there, that totally insecure crap should never be used for any VPN.)
-
my bad :(
I only have openvpn and this.I just found this link:
https://forums.att.com/t5/AGNC-Support/What-firewall-ports-do-I-need-open/td-p/4780010problem is why is the connection dropped. i suspect NAT even if is automatic in/out
-
Are you trying to connect to an AT&T VPN ?
If so, you shouldn't need to add any firewall rules, I don't when I connect to my place of works VPN services or our customers.
I smell a double NAT going on here, is your WAN address in the RFC 1918 range ?
Wish my speedtest was that good :(
-
yes i try to connect to an AT&T vpn
From local network i do have Any to Any
My wan is pppoe
there is no other NAT there besides the Outbound Automatic IN/OUTNet is quite good and cheap in Romania :) I wish everyware is the same :)
-
Are you trying to connect to an AT&T VPN ?
If so, you shouldn't need to add any firewall rules, I don't when I connect to my place of works VPN services or our customers.
I smell a double NAT going on here, is your WAN address in the RFC 1918 range ?
Wish my speedtest was that good :(
WAN address is ok. yes.
-
AGNC appears to be a standard IPSec client. It should work behind pfSense with only the default allow rules in place. No incoming ports should be required.
Your packet capture does not show any IPSec traffic though. It looks like it's not actually trying to connect.
Steve
-
when AT&T client starts it tried to connect to some peer servers and autenticate there.
I will try another capture tonight from the client machine itself. -
Here is the tcpdump from the client machine & pfsense in the same time.
-
Hmm, seeing no UDP port 500 or 4500 traffic there at all. However it looks like it's failing before it ever tries to actually connect the VPN:
NetClient +I 05/23 21:41:38.885 1C5C: dbActionSendHTTPInternetProbe: HTTP internet probe is initiated. NetClient +I 05/23 21:41:38.885 29E0: SendHTTPProbeThread: sending probe to '32.112.50.131'. NetClient +I 05/23 21:41:38.893 29E0: SendRequest: HttpSendRequest failed with error 12029\.You can see that traffic in the packet capture at the client. The response is:
Expert Info (Chat/Sequence): HTTP/1.1 400 Bad Request\r\nHowever it looks like that is coming from Squid running in pfSense. Are you filtering that?
I don't know where you took the pfSense pcap but it looks like the WAN side. If that covers the complete connection attempt those http probes are never leaving so it looks like Squid/Squidguard is filtering them.
Steve
-
pfsense pcap is from the wan interface.
yes I use squid + squidguard. I used it before…but i may have some different settings now. -
Ok, then try disabling Squid as a test or add your client to the by-pass list.
Steve
-
problem 50% solved.
It's squid bloking the connection.
Now i need to figure out how to by pass it or allow this connection -
problem solved 100%
thank you for all hints & support -
Great.
Were you able to open only the AT&T connection test servers? Can you post the allowed IPs that worked for you and exactly where you added them?
That will help anyone else hitting this a lot.Steve
-
like always…thinks that look super complicated are very simple :-[
I just added local IP as exception in Squid:
Squid Proxy Server ->ACLs -> Unrestricted Ip's -> Added my AT&T client local ip.
Then everything worked as expected. -
While that is a simple solution to be sure.. That is not the solution normally people would want.. They would want to be able to access the something that doesn't work through the proxy, while using the proxy for everything else. Your solution is pretty much just turning off the proxy for that client.
The proper solution would be to setup the proxy not to proxy connections to that specific destination for the vpn.. the big question is what is the dest, netblock of all the different possible connections are needed.
-
you're right!
this was just a simple & quick sollution. I will try to get more data and identify the real issue.
