Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC block some return traffic

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 461 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      andmattia
      last edited by

      Hi

      We have configured a site-to-site VPN that uses HTTPS and certificate exchange and we have the following problem.

      VPN 1.1.1.1 (ip public via the alias) -> 2.2.2.0/28 [internal network] -> NAT IPSEC 3.3.3.16/28 -> 4.4.4.128/28 remote network.

      If I try from all exect one server, it does not go well but return traffic. The server has as 2.2.2.5 address does not go while I try from 2.2.2.6 it works. Now the strangest thing is that if the inverted IP and MAC address between the two server does not work the same. The thing we do not understand is that we have tried both with Linux / win 2012/2016 the situation is always the same.

      Pfsense is installed on Hyperv and the machines are either on the same host or on different hosts.

      Looking at the firewall logs I see

      Action Time Interface Source Destination Protocol
      Jul 26 16:43:43 IPsec 4.4.4.129 3.3.3.21 TCP:
      Jul 26 16:43:43 IPsec 4.4.4.129:443 3.3.3.21:61974 TCP: A

      I tried every one in the rules but it did not go.

      The strange thing is that if I try to do the EasyRule Add told me the door is empty (the first rule ipsec rule is configured as the first rule with any to any … but nothing to do. The traffic is blocked by block 1000000103 .

      Any idea what it might be?

      1 Reply Last reply Reply Quote 0
      • A
        andmattia
        last edited by

        After some analisys I see that in one client the Handshake use TLSv1.2 in all other use SSL. I check all settings but machine win its quite similar…

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.