ipsec rules not working

zaber01 · Dec 19, 2020, 11:50 AM

hello , I have one concern . Actually I created the ipsec vpn between two pfsense and every thing is working fine. My one local network in 192.168.2.0/24 behind of firewall A and other is 192.168.1.0/24 behind firewall B. They are accessable to each other and working good.
Now the problem is that , I have to give the access of FTP only in my ipsec tunnel so that PC of firewall A can only take the FTP of PC of firewall B .
Whenever I am manipulating the rules in under ipsec tab like:

Protocol- TCP
Source-192.168.1.2/24 (PC of firewall A)
Destiation-192.168.2.2/24(PC of firewall B)
D.Port-21

then the issue get created and I am not able to take the ftp connection.I tried every possible variation but rule only work if I do all thing to any.
Note(This is rule is created at Firewall B only ; where I want to take FTP).
I only want to allow FTP service in my ipsec tunnel
Any one can help me please.

stephenw10 · Dec 19, 2020, 12:01 PM

What sort of FTP is it?

You probably need to pass the data port range the server is using as well as port 21.

Steve

zaber01 · Dec 19, 2020, 12:11 PM

@stephenw10 I am using vsftp on ubunut system. And according my knowledge data port used by ftp in 20 and for connection it uses 21.
So u you mean i have to allow only 20 and 21 port number for only FTP.

zaber01 · Dec 19, 2020, 12:23 PM

@zaber01 I allowed both port and able to take ftp but not able to transfer the file to the target machine.

stephenw10 · Dec 19, 2020, 12:43 PM

Nope in addition to port 21 you need to pass the passive port range, for eaxmple 10000-20000 but that that could be anything depending on how you've configured it.
Also vsftp seems to use ftps so needs port 990 also for the encryption.

See: https://www.howtoforge.com/tutorial/ubuntu-vsftpd/

You should be able to see that traffic blocked in the firewall log though when you try to connect and it fails.

Steve