PfSense IPSEC vs SonicWALL Global VPN



  • I guess this belongs in the IPSEC section.

    I am seeing some strange problems I'm hoping you guys can help diagnose. I'm stumped. My pfSense IPSEC VPN works 99%. DNS works. Everything except these two random issues. The kicker, if I disable my pfSense IPSEC VPN and just connect via the SonicWALL Global VPN Client (also IPSEC), both the issues go away and everything is fine. I've tried packet capture on both the pfSense box and the SonicWALL and cannot see anything being blocked.

    PfSense Config
    pfSense 1.2.3 RC3 IPSEC VPN to SonicWall PRO 3060
    IPSEC Interface Firewall rules are set to allow everything (for testing).

    The Issues
    1. Office Communicator cannot do voice chats or send/receive files
    2. Outlook 2007 connected to Exchange 2007 will not download the Offline Address Book (everything else fine)



  • You will likely need to add some of the ports from this link

    http://technet.microsoft.com/en-us/library/bb870402.aspx

    to the firewall rules on the LAN interface for the Office Communicator. I'm sure that a search will tell you what you need to add for the address book. Even though everything is open on the IPSec interface, it does not mean that it is not getting blocked for your LAN. Since you are able to connect with the VPN client, then the other end of the tunnel should be fine. I would look at all of your firewall rules and log them along with logging the default deny rule listed on the Settings tab. This should help you to see what is getting blocked.



  • Alright so I've revisited this issue as it is still unresolved. So some updates.

    I have Firewall rules on PfSense accept allow everything on all interfaces (testing).
    A colleage is using a IPSEC VPN from a Cisco PIX at home and his Communicator works fine.

    pfSense logging was giving me nothing useefull. So i fired up the packet capture on the SonicWALL at the other end. File transfers from my house to the other end work. File transfers from the work side to my home don't. When i look at the packet capture I see something strange.

    209 9.216666 10.0.0.8 192.168.190.1 TCP cft-2 > 6891 [SYN] Seq=0 Win=65535 Len=0 MSS=1460

    10.0.0.8 is the OCS Server
    192.168.10.10 is My workstations.

    When i send a file transfer request I see the invitation on my workstation. So the packet is deliverd. Then i click accept and all of a sudden the file transfer is trying to send to 192.168.190.1 which isn't on either network anywhere. So I can see the SYN but obviouslly no ACK is returned and the packet is dropped.

    What the hell is going on here? This isn't an overly complicated setup. The pfSense is barebones.



  • FIXED.. I really should have thought of this sooner but untill I saw the packet was addressed wrong it never clicked in my head.

    The problem was I run VMware Workstation for devlopment. The NAT driver was playing havoc. I still don't really understand what was happening, but the VirtualNIC assigned to NAT just so happen to be 192.168.190.1. So I'm guessing somehow it was changing the source/destination of the packets meant for my 192.168.10.10 interface.

    Figured I'd update this incase anyone ever pulls their hair out like I was.


Log in to reply