IPSec Site-Site - Problem with Oracle (port 1521)

modelador · Mar 13, 2025, 1:28 PM

So we are a company in Brazil running pfSense 2.7.2-RELEASE (amd64).

I had set up IPSec with our cloud provider so my LAN could access our two Linux VMs hosted there - One of them Oracle Linux.

With our previous internet it was working fine. We changed the internet, the problems started.
Both internets are dedicated, and we have a public IP address.

In general, IPSec works - I can ping the VMs, i can SSH, etc

The problem starts with port 1521. I get the following error on DBeaver:
ORA-17002: I/O error: Connection reset, Authentication lapse 0 ms.

Other ports are also bugged, such as port 8180 - which is our application port.

Here is a tcpdump when I try to connect:
13:25:28.856683 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [S], seq 822910510, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
13:25:28.875982 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [S.], seq 732684003, ack 822910511, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
13:25:28.876221 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 1, win 1026, length 0
13:25:28.877146 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 1:283, ack 1, win 1026, length 282
13:25:28.895197 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [.], ack 283, win 237, length 0
13:25:28.909403 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 1:9, ack 283, win 237, length 8
13:25:28.918979 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 283:565, ack 9, win 1026, length 282
13:25:28.937597 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 9:54, ack 565, win 245, length 45
13:25:28.938243 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.U], seq 565:566, ack 54, win 1026, urg 1, length 1
13:25:28.938336 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 566:577, ack 54, win 1026, length 11
13:25:28.938872 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 577:610, ack 54, win 1026, length 33
13:25:28.956920 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [.], ack 577, win 245, length 0
13:25:28.957187 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 54:64, ack 610, win 245, length 10
13:25:28.957197 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 64:258, ack 610, win 245, length 194
13:25:28.962197 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 258, win 1025, length 0
13:25:28.962959 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], seq 610:2070, ack 258, win 1025, length 1460
13:25:28.962983 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [P.], seq 2070:3381, ack 258, win 1025, length 1311
13:25:28.981461 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [.], ack 3381, win 291, length 0
13:25:28.982090 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 1718:2963, ack 3381, win 291, length 1245
13:25:28.982276 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 258, win 1025, options [nop,nop,sack 1 {1718:2963}], length 0
13:25:28.982277 (authentic,confidential): SPI 0xc03d22f7: IP 172.17.24.11.1521 > 10.11.11.170.53500: Flags [P.], seq 1656:2963, ack 3381, win 291, length 1307
13:25:28.982508 (authentic,confidential): SPI 0xc8dcdf75: IP 10.11.11.170.53500 > 172.17.24.11.1521: Flags [.], ack 258, win 1025, options [nop,nop,sack 2 {1718:2963}{1656:2963}], length 0

Any ideas?