One way traffic over IPSec tunnel
-
I'm am having the same issue. Traffic originating from location 1 flows to location 2 with no issues... but traffic originating from location 2 is stopped.. I have pfsense at location 1 and Sonicwall NSA at location 2. Hoping there are more answers forthcoming... my googlefoo finds that this issue happens frequently but nobody seems to have a good answer except 'it should create automatically', 'try manually creating rules', etc... the previous vpn between 2 sonicwalls worked fine.
I've manually created rules with no change.
-
Like the other poster, going to need more information than "I created the rules."
What rules? For what traffic? What is the IPsec configuration?
You can pcap on the IPsec interface and initiate a connection from the other side. See if the traffic is even arriving. If not, it's on the other side or something is not cuorrect with the tunnel itself.
-
I have to assume the tunnel is setup properly since I can RDP thru it from location1 to location2 with no issues. However, I can 'initiate' any traffic from location2 to location1.
Let's assume I created the tunnel and let the 'automatically' created traffic rules apply. Anything I need to do differently to get traffic to flow from location2 to location1 that I didn't need to do to allow traffic to flow from location1 to location2?
-
That could be firewall rules at the other side, or firewall rules on the IPsec tab.
It could also be the local host refusing connections from the remote site based on its own firewall configuration.
Like I said, a pcap will tell you more.
-
@showmemo said in One way traffic over IPSec tunnel:
Let's assume I created the tunnel and let the 'automatically' created traffic rules apply.
There are no automatically-created rules. You need to pass the traffic you wish to allow into the firewall from IPsec endpoints on the Firewall > Rules, IPsec tab.
-
@derelict I've created a 'Pass' any from any on the IPSEC tab, but it doesn't make any difference.
I also have 2 other VPN's setup from other locations to location1 and they all have the same issue... location1 to any is fine, any to location1 (via vpn tunnel) fails.
I can run a pcap, but everything points to the 1 issue - the pfsense firewall. The tunnels worked fine when I had a Sonicwall at location1, but once that was changed, and the tunnels re-established, the issue occurred.
-
Need more information to be able to have a chance at helping you.
You can, of course, choose not to provide it and forgo any meaningful assistance.
Either the other side is not sending the traffic to you or your firewall rules are incorrect.
How about starting by posting the IPsec firewall rules and at least a Status > IPsec with the Phase 2 networks expanded and a detailed description of what traffic is not working (source address, dest address, dest port, etc).
Packet capture on IPsec for the traffic and post that please.
-
interesting... I recreated the IPSEC rule for any to any, and it started working. I had done that and deleted it along with other rules.. maybe it was a timing thing.
I've been setting up routers/vpn tunnels for a long while (think ISDN) and this seemed overly difficult and inconsistent for a basic VPN tunnel setup... just my 2c
-
Maybe you set protocol TCP on the rule or something.
Impossible to say considering the lack of information provided.
-
@Derelict Here is the configuration on pfSense 2
And the route installed when IPSec tunnel established: