No Outgoing VPN Traffic possible (Side to end)

  • Hey guys,

    i have installed my new Pfsense Firewall, but i have a big Problem with outgoing IPSEC traffic. It seems to get blocked by the PFsense.
    I use an Shrewsoft Ipsec Client on my PC to connect to a remote network. This always worked without problems until i installed my new PFsense Firewall.
    Now im not possible to connect to the VPN Anymore, because the shrewsoft Ipsec Client just tells me, that timeout did occur.
    In my Pfsense there is the default Firewall rule "Lan to Any", which should allow all outgoing traffic initiated by the Lan, but it still blocks my vpn connection.
    When i use a hotspot with LTE Connection of my phone the VPN Client connects without any problems.
    Any Ideas here what the Problem could be?
    I think traffic must be blocked by the PFsense, because with the old fritzbox instead of the pfsense vpn works.

  • Show your firewall rules.

  • @chpalmer

    Atm i have blocked everything Incoming on the WAN Interface and for the LAN Interface i have everything allowed outgoing (Outgoing default allow all rule).
    But something really strange did happened:
    I saw in Firewall Log, that incoming Packets on Wan Interface on Port 31286 from the IP Network i tried to connect to where blocked by the Deny Any Any Rule of my Pfsense. So for testing reasons i did allow Protocol Any to Destination of my Wan Interface from source ( IP of the remote Network i tried to connect to)
    After setting this i could use the VPN without problems. A few minutes later, i did delete the above mentioned rule, saved configuration and tested it again, and VPN did still work.
    Even after rebooting my Pfsense i still can connect to the remote network via VPN now.

    I cant explain what was the problem at all, but i have an assumption.
    A few hours ago i tried to setup an Side to Side VPN to the same remote network which didnt worked.
    Could it be, that the remote Networks IP got blacklisted or something like that because of to many failed connection attempts, and setting the Firewall rule did remove the IP from blacklist? Does Pfsense even has somethin like a blacklist build in? I didnt install any packages at all atm.

  • Basic-
    In state traffic is allowed to return. If your client goes out looking then the return traffic can come back.

    If you have open states while you attempt to block with a rule or you delete a rule the state remains and traffic can keep flowing until the connection ceases for whatever reason.

    Little more advanced-
    In order for a IPSEC VPN connection to connect both sides have to have incoming rules on their WAN. according to what I know of IPSEC.

    Im not sure how one would use an IPSEC VPN on a network they do not control. (Coffee Shop WIFI, Cellular LTE.. ect.. ) But I don't do allot of IPSEC.

    Im generally using OpenVPN connections for both site to site and "Roadwarrior" setups.

  • @chpalmer

    Yeah, thats what SPI Firewalls do, they check if incoming connections on WAN where initiated from the lan Interface first, and if so they will pass them through. On a Side to End IPsec VPN my Client initiates the connection, so i didnt understand why the incoming packets from the remote network got blocked.

    For the Side to Side VPN i did set Ipsec Firewall rules for incoming traffic of the remote network, but i still didnt get it working with the fritzbox on the other side.
    But thats an other thing i will try again later, first i would really like to understand why the side to End VPN (With VPN Client on the PC) didnt work until i did set the incoming firewall rule (And why its now still working, after the rule got deleted) .

Log in to reply