Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec & OSPF, ping YES, TCP No. OpenVPN & OSPF work as expected.

    Routing and Multi WAN
    2
    3
    182
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cmcquistion_
      last edited by cmcquistion_

      I've set up site to site VPN connections dozens of times and frequently use OSPF and multiple VPN paths across IPSec and/or OpenVPN.

      I'm working on a new system two two Netgate 1541 appliances and need to do some iperf testing across the VPN to see which combinations of settings are ideal for IPsec and OpenVPN.

      I configure the IPSec Phase 2 as VTI connections, then assign those to an Interface and use that Interface in OSPF.

      This is all working and I can PING the remote firewall or remote hosts across the VPN connection, but I cannot make TCP connections across; for example, I can't pull up the pfSense web interface on the remote firewall.

      I also have OpenVPN tunnels on these firewalls and I place them at a lower metric in OSPF, then I can pass ping traffic as well as TCP traffic, just fine.

      I've never run into this and I've been banging my head against it all day and could use some help or advice of something else to check?

      The reason I really need to get IPSec working, as opposed to just using OpenVPN is that these two firewalls will have 10 gigabit fiber WAN connections to each and I suspect that OpenVPN isn't going to give me as high of performance as IPSec should.

      I am getting about 900 Mbps across OpenVPN with my two test laptops connected with gigabit interfaces. I have another machine on the way with 10 gig interfaces to test higher-than-1gbps connections.

      I should also mention that with these IPSec tunnels, if I disable the VTI Phase 2 and create a standard tunnel Phase 2, I can pass traffic perfectly (ICMP and TCP). It seems to be related to IPSec and OSPF (via FRR) that things are falling down for some reason.

      M 1 Reply Last reply Reply Quote 0
      • M
        mgavrila @cmcquistion_
        last edited by

        @cmcquistion_ This is an expected behavior. Take a look here https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-state-policy

        C 1 Reply Last reply Reply Quote 1
        • C
          cmcquistion_ @mgavrila
          last edited by

          @mgavrila said in IPSec & OSPF, ping YES, TCP No. OpenVPN & OSPF work as expected.:

          @cmcquistion_ This is an expected behavior. Take a look here https://docs.netgate.com/pfsense/en/latest/config/advanced-firewall-nat.html#firewall-state-policy

          Thank you!

          This is the clue that I needed.

          I wasn't completely sure how to create the "Rules with Floating Policy Se" referenced on that link, so I instead I just changed my IPSec rule that was already in place for that interface (allow all) and changed the State Policy from Default to "Floating States"

          Once I did that and did a Filter Reload, all my traffic is working as expected!

          This is good to know. I have a lot of client firewalls that use IPSec and OSPF that are going to stop working when I upgrade their pfSense version unless I implement this change.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.