IPSec traffic comes in, but never goes back out

ssweeney

Good morning,

Looking for some guidance on an issue I am trying to solve.

We have configured a new IPSEC VPN tunnel for a client. The VPN is up and when the client sends a telnet, I can see the traffic come in using packet capture, but we never see a response go out.

My typical setup of this connection follows what I have done with other clients with the caveat of the specific P1 + P2 settings that need to be negotiated:

• Create IPSEC VPN, (P1 + P2)
• Under Firewall > Rules > IPSEC, create a rule allowing their incoming P2's to go up to their destination, (an AWS VPC)

I set up a flow log in AWS VPC but I cannot see the traffic in the cloud so my assumption at this point is it is not being routed up. I confirmed I can see other clients.

Observations:

• If I search for the P2 address under Diagnostics / States, I get no results. I can find other clients.
• Under Status > IPsec > SADs, I see entries for our P1's, both ways
• Under Status > IPsec > SPDs, I see entries for our P2's, both ways
• Under Diagnostics > pfTop, I cannot find the clients P2's, I can find other clients however

Side Questions:

• Would pfTop be the most general way to see current traffic across the firewall across all interfaces?

Final thoughts:
This week another client of ours had to do an urgent upgrade on their own firewall and the auto-migration of their VPN connections failed. When they reached out to us, we had to change the DH group on the P1 settings to correct. This made me think about dumbing down some settings to see if the VPN connection setup wasn't as successful as we believed. Providing this as food for thought.

So, with all of this, thoughts on next steps?

Thanks for any assistance that can be provided!

stephenw10

So this is pfSense in AWS? Or remote pfSense connecting to AWS with IPSec directly?

If you can see traffic coming into pfSense in a packet capture but there are no states created then the firewall rules are not matching it.

Where were you running the pcap, which interface?

Steve

ssweeney

The pfSense is on premise with a tunnel up to AWS.

I will call the interface that the new tunnel's P1 was configured on, "OUT". The capture produces the following results on the given IP for the given interface:

Using P1 IP:
IPSEC : nothing
OUT : traffic

Using P2 IP:
IPSEC : traffic
OUT : nothing

Thanks Steve

stephenw10

Ok, those results are as expected. However if you are seeing the P2 IP in traffic in the IPSec tunnel I would expect a state to be present.

@ssweeney said in IPSec traffic comes in, but never goes back out:

he VPN is up and when the client sends a telnet, I can see the traffic come in using packet capture, but we never see a response go out.

Where is the client sending that telnet request from? I'm reading that as though the client is trying to connect from some local subnet behind pfSense out to a resource in AWS via the VPN.
But if that is the case then this is incorrect:

@ssweeney said in IPSec traffic comes in, but never goes back out:

Under Firewall > Rules > IPSEC, create a rule allowing their incoming P2's to go up to their destination, (an AWS VPC)

A firewall rule to allow that traffic would need to be on the interface as i comes into pfSense. The traffic would be allowed out across the VPN by default.

Steve

ssweeney

The client is at another organization. They connect over VPN to us and from there they have access to the AWS asset.

Okay, I tried adding the rule I mentioned to the OUT interface but it doesn't seem to have changed anything.

Is there a log that shows the failure of the telnet to route?

Thanks!

stephenw10

OK so this is actually two IPSec VPNs the traffic has to cross?

In that case both IPSec tunnels will need P2s that match the traffic and existing P2s may not.

It becomes more difficult to diagnose if both VPNs are using tunnels mode because all the states will be on the IPSec interface and packet captures would should traffic on both tunnels.

But in that case the rule you specified is correct. You should at least see states opened for that.

ssweeney

Yes that is correct.

Let's imagine the traffic is definitely getting to our firewall: Are there any CLI commands you can think of that can assist in tracking down where the it goes / gets dropped? Or a way to see if there are errors when trying to create the states?

Thanks!

stephenw10

If you're able to I would check the packet counters on each tunnel. That does mean other traffic not using it which may not be possible.

I would bet this is a missing P2 though. Can we see what you have configured?