ENC0 blocking when ipsec is open



  • my active directory will not populate from my trusted domain through my ipsec tunnel.

    Each time I try to pull objects out of my remote domain my psfsence logs show, my watchguard is on 192.168.2.2 my pfsence (70...48)=192.168.1.2

    Sep 14 19:35:02 NG0 206.111.140.12 70...48 ICMP
    Sep 14 19:35:02 NG0 206.111.140.12 70...48 ICMP
    Sep 14 19:35:01 NG0 206.111.140.12 70...48 ICMP
    Sep 14 19:34:47 WAN 192.168.1.50 224.0.0.1 IGMP
    Sep 14 19:33:46 WAN 192.168.1.50 224.0.0.1 IGMP
    Sep 14 19:32:46 WAN 192.168.1.50 224.0.0.1 IGMP
    Sep 14 19:32:00 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP
    Sep 14 19:31:54 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP
    Sep 14 19:31:48 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP
    Sep 14 19:31:46 WAN 192.168.1.50 224.0.0.1 IGMP
    Sep 14 19:31:42 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP
    Sep 14 19:31:30 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP
    Sep 14 19:31:25 NG0 208.93.105.8 70...48 ICMP
    Sep 14 19:31:25 NG0 208.93.105.8 70...48 ICMP
    Sep 14 19:31:24 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP
    Sep 14 19:31:24 NG0 208.93.105.8 70...48 ICMP
    Sep 14 19:31:18 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP
    Sep 14 19:31:13 ENC0 192.168.2.2:1435 192.168.1.2:389 UDP
    Sep 14 19:31:12 ENC0 192.168.2.34:1041 192.168.1.103:161 UDP

    When I remove my pfsense box and hook up my watchguard I have no issues.  the objects populate.  can someone please tell me how to create a rule to allow this to pass?  I am stumped been working on these rules for a long time and I just don't know what else to try.

    Any advice is greatly appreciated.

    Even when I say all to all any to any it the logs are similar.


  • Rebel Alliance Developer Netgate

    Double check your rule on IPsec. Is it really an any/any rule, or is the protocol set for TCP instead of any?

    All of the blocks on enc0 are UDP, which makes me think that your rule on the IPsec interface is not set to allow UDP.



  • Do i need to create any ipec rules? Any computer that connects through IPEC i have authorized anyways, therefore I allow them full access to the system?

    Doesn't' rules just start adding restrictions? so if I had no rules listed would it be fully open for anyone connecting through IPSEC?

    Or by default are the common ports blocked?

    Thanks


  • Rebel Alliance Developer Netgate

    Everything is blocked by default.

    If you want to allow access in across the tunnel, you need rules on the tunnel interface.


Log in to reply