bug found: ipsec vpn ipv4 and web management do not work together

nevolex · Jul 16, 2022, 7:29 AM

Hi all,

I am not sure how long this exists (on latest pfsense+ 22.05), I have an ipsec tunnel between 2 routers: using ipv4 addresses as tunnel end point ips

my pfsense is in the cloud and installed on the remote VPS, I can access it via public ip (obviously via trusted IPs that have been setup in the fw rules on pfsense ) the other end is my home and I am connecting from home.

I noticed that every time when I access it (pfsnse) the IP I am coming from is always ipv6, just being curious I disabled ipv6 stack from my network card and could not log in at all via ipv4.

Opened it from the other pc via ipv6, did packet capture: when I try to connect from my pc (same IP v4 as as the remote tunnel end from the pfsense perspective) I see 0 attempts in the logs:

These are the only logs I was able to see, there is no port 443 https logs at all, just port 500 for ipsec

19:09:12.395810 IP 109.107.xxx.xxx.500 (this is the pfsense side) > 121.99.xxx.xxx.500: UDP, length 80 (this is me from home pc)
19:09:12.702034 IP 121.99.xxx.xxx.500 > 109.107.xxx.xxx.500: UDP, length 80

======================================================

disabled ipsec tunnel on the pfsense, was immediately able to connect from pc on ipv4 to the remote pfsense

19:10:35.879707 IP 121.99.xxx.xxx.58635 > 109.107.xxx.xxx.443: tcp 0
19:10:35.879853 IP 109.107.xxx.xxx.443 > 121.99.xxx.xxx.58635: tcp 0

is that a bug?
thank you

nevolex · Jul 16, 2022, 9:12 AM

This post is deleted!

nevolex · Jul 16, 2022, 10:21 AM

doing pfctl -d does not help, so wouldn't be the firewall blocking it, looks like a genuine bug

stephenw10 · Jul 16, 2022, 1:38 PM

Seems more likely to be a routing problem. When you create an IPSec tunnel it adds a static route to the end point via whatever interface the tunnel is using. You probably have a conflict of some sort there.

Steve

nevolex · Jul 16, 2022, 9:45 PM

@stephenw10 said in bug found: ipsec vpn ipv4 and web management do not work together:

Seems more likely to be a routing problem. When you create an IPSec tunnel it adds a static route to the end point via whatever interface the tunnel is using. You probably have a conflict of some sort there.

Steve

Thank you for your support Steve, here is my configuration.
I am using 0.0.0.0/0 as local because Pfsense doesn't have a LAN network, as being a virtual appliance in the data centre. Essentially what I wanted to archive is to route all the traffic from my home fortigate (lan 10.10.10.0/24) via pfsense to the internet. It has been working fine, but yes, ipv4 management of the pfsense (via it's public ip address (as beeing a cloud device) is not working from my local side, but does work fine via ipv6, once ipsec runnel is down ipv4 management is working again

🔒 Log in to view

Thank you for any advice

nevolex · Jul 16, 2022, 10:27 PM

and those are my NAT rules on PFsense
🔒 Log in to view

nevolex · Jul 17, 2022, 8:52 PM

the issue has been fixed and was related to the routing configuration but on the Fortgate side, thanks guys!

marcosm · Jul 17, 2022, 8:52 PM

@nevolex

Thanks for the update, glad to hear it's fixed!