IPSec - 4G / LTE Enterprise Failover - Won't Work!
-
Hi All,
I have an enterprise supported Plus IPSec Firewall with P2 etc - to our remote site. It is 100% reliable. To mitigate the risk of retiring some only kit - we've installed a failover to 4G - which I've done before and it worked - this time - the 4G provider presents a CGNat's IP - and despite changing the ID's to FQDN it won't connect. The edge traffic to our HQ PFSense Plus passes through our DMZ. So I can see traffic attempts at the edge.
Basically I cannot get the 4G to negotiate the IPSec.
Looking on the DMZ I can see the trafffic is from and to ephemeral ports which I wasn't expecting.
The 4G is a fixed IP we own - so I allowed any protocol from that IP and port THROUGH to our Internal firewall to test and log traffic - Nothing!
I am loosing my mind - (not quite) but I've tried a lot to get this working -
Any idea guys?
-
If one side is behind NAT then the tunnel can only be established outbound but it sounds like you are seeing it try that.
Did you change the remote IP to the CGNAT public IP at the HQ end?
What do you see in the IPSec logs at HQ when the remote side tried and fails to connect?
-
@stephenw10 Hi Stephen,
One thing that confuses me is that the existing Fibre to Fibre IPSec VPN comes through our edge DMZ with no visible rules. I am not so au fait with IPSec it has to be said - SSL Would need and indeed has rules through my perim fw.
Created a Dynamic DNS tied to the gateway group to a failover at the remote site changes the IP's being targeted at both ends.
Changed the IPSec ID to the DDNS FQDNs - tested working with the Primary Fibre.So the FQDN in use will be correct when it tries to fail over and they work when it isn't failed over. Interestingly enough in my "widget" for the IPSec in the remote side it shows the CGNAT IP 10.x.x.x not the eventual public IP ..
The most puzzling thing I see is the ephemeral ports both ends?
And yes the DDNS does all the mapping no IP's and it is working.
Maybe it might be worth trying to the IP without the failover - but if that works and the other doesn't it doesn't help me much
Thanks mate! (Again) This is Plus firewall btw
-
SSL/OpenVPN doesn't add any sort of rules to allow traffic. IPSec adds rules by default to allow in IPSec traffic from configured remote IPs.
But it's possible to get a tunnel functioning even if the rules are disabled as long as both sides of the tunnel are attempting to establish and opening states outputbound. That is because ipsec uses fixed source ports or ESP directly so outbound states will match traffic coming from the other side.
However since you're seeing ephemeral ports that implies NAT so that cannot happen. One thing to check, if you're running HA, is that the firewall is not incorrectly NATing it's own traffic.
If the remote side is set to use 'my ip' as it's identifier it will send the internal CGNAT IP.
But check the logs. It will show a connection error and it's usually clear enough what the issue is.
-
@stephenw10 Hi Stephen,
Indeed but at the HQ End the traffic for the IPSec comes through the DMZ Filters (no NAT) Filters are required for the SSL (Roadwarrior MFA VPNS) and some SSL Site to Sites, but there are no rules for my IPSec traffic in the DMZ filters ??
-
Those are in pfSense or some other firewall?
If something else then, yes, you would need rules there to allow inbound IPSec traffic. Otherwise it could only establish of the outbound states match, which is unlikely if you see ephemeral ports.
-
@stephenw10 Hi Stephen the DMZ and the IPSec Terminations - (all) are PFSense
-
Hmm, well you would need some rules to pass it inbound though pfSense. IPSec traffic of any type is blocked by default.
If it's opening states you should be able to see what rule is passing it.
But still the best option to diagnose IPSec issues is to examine the logs after a failed connection.
-
@stephenw10 Does it not connect out from HQ and therefore creates a stateful connection like an SSL VPN? I cannot see any rules that allow it to work through the DMZ - yet it is ? :) Go figure as they say
-
Yes it will try if the remote side is configured as a single public IP. But behind CGNAT that usually isn't the case. It would work for the connection before failover as long as there is no nat in place to change the source ports.
