IPsec Traffic Initiation Only Works In One Direction
-
I've been trying to wrap my head around an odd issue for a while now, and for reference I've setup quite literally 100s of IPsec site-to-site VPNs, so this isn't new to me.
I have a pretty simple IPsec VPN setup between Site A and Site B. Both phases will be up and Site B can not ping Site A, however, if Site A pings Site B first, then Site B can also ping just fine.
The Phase 2 is in Tunnel mode on both sides and both ends are pfSense (albeit one is pf Plus and the other is CE).
Below is all the info, anything not put here is default.
Site A:
- Phase 1
IKEv2 IPv4 WAN (it's actually a LAN in a lab) Remote GW: 10.100.10.51 Mutual PSK Both Identifiers are My/Peer IP AES256-GCM - 128 bits - SHA 512 - DH 21 Life Time 28800 DPD Enabled- Phase 2
Local Net: 10.10.12.0/24 (using built in subnet alias) No NAT Remote Net: 192.168.15.0 AES256-GCM - PFS Group 21 Life Time 3600 Periodic Keep Alive EnabledSite B
- Phase 1
IKEv2 IPv4 WAN (actually a LAN) Remote GW: 10.100.10.1 Mutual PSK Identifiers are My/Peer IP AES256-GCM - 128 bits - SHA512 - DH 21 Life Time 28800 DPD Enabled- Phase 2
Local Net: 192.168.15.0/24 No Nat Remote Net: 10.10.12.0/24 AES265-GCM - PFS Group 21 Life Time 3600 DPD EnabledI've put Any - Any rules on the LANs and IPsec tab of both sides just to make sure I wasn't crazy and somehow putting in the wrong subnets.
Host at 192.168.15.10/24 can not ping 10.10.12.0/24. However, 10.10.12.0/24 can ping 192.168.15.10. Once that state opens up, 192.168.15.10 is able to ping 10.10.12.0 at will, until the state times out.
This made me think it was a state table issue, but once I did more digging and pcaps, I discovered that the packets aren't even showing up on the IPsec tab (yet alone the LAN tab) of Site A when Site B tries to ping. So something is failing in the SPD or SAD checks as far as I can tell.
Any ideas here? I've been trying to figure this out for like 3 weeks, several forums posts and Reddit posts, even resorted to asking 3 different LLMs to no avail.
I manage some pretty large scale IPsec setups in production and have never experience this sort of thing on any of my pfSense firewalls so I'm not sure what is failing here and it almost feels like a bug?
-
To add a little more info, I entered this command.
pfctl -s states | grep 192.168.15And the results on Site A are no state entries for this subnet, so the states are 100% not being created, as I suspected.
I'm unsure at this point where in the IPsec setup this is failing. It seems to me the SPD check is failing but I'm unsure why.
-
I knew it had to be something stupid.
I had a block rule for "This Firewall" on my internal "WAN" interface (not a real WAN) which was causing the ESP packets to be dropped on that interface.
It's always simple stuff like that lol, after literally weeks and hours of troubleshooting thinking there is no way my config is wrong.
Anyway, if anyone finds this later, check that you don't have block rules on the interface that the ESP packets arrive on.
