Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    ipsec rules not working

    IPsec
    2
    5
    107
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zaber01 last edited by

      hello , I have one concern . Actually I created the ipsec vpn between two pfsense and every thing is working fine. My one local network in 192.168.2.0/24 behind of firewall A and other is 192.168.1.0/24 behind firewall B. They are accessable to each other and working good.
      Now the problem is that , I have to give the access of FTP only in my ipsec tunnel so that PC of firewall A can only take the FTP of PC of firewall B .
      Whenever I am manipulating the rules in under ipsec tab like:

      Protocol- TCP
      Source-192.168.1.2/24 (PC of firewall A)
      Destiation-192.168.2.2/24(PC of firewall B)
      D.Port-21

      then the issue get created and I am not able to take the ftp connection.I tried every possible variation but rule only work if I do all thing to any.
      Note(This is rule is created at Firewall B only ; where I want to take FTP).
      I only want to allow FTP service in my ipsec tunnel
      Any one can help me please.

      1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        What sort of FTP is it?

        You probably need to pass the data port range the server is using as well as port 21.

        Steve

        Z 1 Reply Last reply Reply Quote 0
        • Z
          zaber01 @stephenw10 last edited by zaber01

          @stephenw10 I am using vsftp on ubunut system. And according my knowledge data port used by ftp in 20 and for connection it uses 21.
          So u you mean i have to allow only 20 and 21 port number for only FTP.

          Z 1 Reply Last reply Reply Quote 0
          • Z
            zaber01 @zaber01 last edited by zaber01

            @zaber01 I allowed both port and able to take ftp but not able to transfer the file to the target machine.

            stephenw10 1 Reply Last reply Reply Quote 0
            • stephenw10
              stephenw10 Netgate Administrator @zaber01 last edited by

              Nope in addition to port 21 you need to pass the passive port range, for eaxmple 10000-20000 but that that could be anything depending on how you've configured it.
              Also vsftp seems to use ftps so needs port 990 also for the encryption.

              See: https://www.howtoforge.com/tutorial/ubuntu-vsftpd/

              You should be able to see that traffic blocked in the firewall log though when you try to connect and it fails.

              Steve

              1 Reply Last reply Reply Quote 0
              • First post
                Last post