IPSec and traffic blocked leaving the enc0 interface
-
I have seen many similar posts on this, but nothing very recently and none seem to have been resolved.
I am running version 2.4.1. I have setup IPSec with a Palo Alto on the other end. Both phase 1 and phase 2 succeed, and pings flow just fine in both directions. The problem is when we try TCP traffic in either direction. I currently have a wide open rule on the ipsec interface. I can see in he logs that packets are allowed going into a hidden interface called enc0, but return packets coming out of enc0 are being blocked by this default rule:
block out {$log['block']} inet all tracker {$increment_tracker($tracker)} label "Default deny rule IPv4"
I am certain there is no asymmetric routing problem and that I have rules in place that should allow the traffic through the tunnel. I have tried every rule I can think of in the web console to allow the traffic, including ones that do not keep state. There is no way for me to specify the enc0 interface in the web console. I attempted to insert an "allow out enc0" rule in front of the default deny rules, but it does not accept it. If I remark out the offending default deny out rule, everything works fine.
Has anyone else experienced this and found a resolution?
-
First, undo everything you have done.
Second, examine which way the connections are being established.
If they are being established from the other side of the tunnel, the rules to pass the traffic go on the IPsec tab.
If they are established coming from local hosts, the rules to pass the traffic go on the interface on pfSense the connecting host first hits (ie LAN).
As long as you haven't messed with the rules (such as turning off keep state), the state for the return traffic is established on the necessary interfaces automatically.
Look at the states in Firewall > States. Filter on an interesting IP address such as the one making the connection. Attempt a connection and refresh the states.
What do you see there?
Packet Capture on IPsec (again filtering on interesting traffic) and try again? Stop the capture and examine. What do you see there?
Do the same on the local interface (ie LAN).
-
Thanks for the quick reply!
I have tried wide open (ip any any) rules on both the ipsec interface and the LAN interface, and tested initiating connections in both directions. It would always allow in to enc0 but "default deny out" of enc0. I will setup to test again and get some state info and captures on the interfaces and post the results here. It may take a couple days to get time to do so.