Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSEC Port 500 Blocked.

    IPsec
    3
    6
    425
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TomT last edited by

      Hi.

      I've got some IPSEC VPNs that have been running fine.

      This morning we found they were down and looking at the IPSEC Log we couldn't see the IP Address for the remote ends.Looking at the system firewall log I can see both IP Address on port 500 are blocked.

      I've cleared the states and restarted racoon, I've also tried applying easyRules.. still the VPN's are down.

      Any ideas how I can resolve this ?
      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        conor last edited by

        Obvious question what is the device uptime, i.e was there a restart?

        Apart from the basic stuff when you run a tcpdump on either end do you see traffic arriving on port 500?

        200+ pfSense installs - best firewall ever.

        1 Reply Last reply Reply Quote 0
        • T
          TomT last edited by

          Pfsense is running and hasn't restarted.
          Without the easyrules I see traffic from the two IP addresses being blocked in the firewall log.

          If I add the easyrules the traffic isn't marked as blocked and I do see states set up, but no IPSEC VPN is established.

          I'm at a loss as to why pfsense was blocking in the first place and why after the rules and racoon restart this isn't working.

          Thanks

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            racoon? How old is this version of pfSense that is giving you IPsec trouble?

            Chattanooga, Tennessee, USA
            The pfSense Book is free of charge!
            DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              TomT last edited by

              Hi

              pfSense is 2.3.5-RELEASE (i386)

              We seem to have had some luck.
              One VPN is up and connected for 18 hours.

              The other two come up and then disconnect after 20 seconds.
              Any idea what would cause that ?

              Thanks

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                pfSense is 2.3.5-RELEASE (i386)

                You are not running racoon. You are running strongswan (charon). i386? It's 2018.

                I would guess the phase 1 is succeeding then the phase 2 is failing and one side or the other is subsequently deleting the phase 1.

                Impossible to tell without looking at the IPsec logs.

                Guidance:

                https://doc.pfsense.org/index.php/IPsec_Troubleshooting

                Chattanooga, Tennessee, USA
                The pfSense Book is free of charge!
                DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post