Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec Policy and Traffic Policy - Which is first? (kinda newbie question)

    Scheduled Pinned Locked Moved IPsec
    4 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      offtheboxuser
      last edited by

      We're about to test a vpn site-to-site on ipsec tunnel mode.
      Should we assume that no traffic is allowed between these two sites before the successful completion of IPSec Tunnel (phase i and phase ii) and SA established?
      is this a configurable behaviour?
      Assuming there is a ipsec policy (which defines tunnel configuration between the sites) and a Traffic policy (which is the firewall policy for the traffic between these two sites) What is the order these two policies apply?

      Thank you

      1 Reply Last reply Reply Quote 0
      • F
        focalguy
        last edited by

        I'm not sure I understand your question. If the IPsec tunnel connection is not finished, there can be no communication over the tunnel by the firewalls or any devices behind them. Once the tunnel is up, any firewall rules you have defined for IPsec will take effect.

        1 Reply Last reply Reply Quote 0
        • O
          offtheboxuser
          last edited by

          This is the test i've been doing and driving me confused:

          Host1–-(Subnet1) ----VPNServer01------VPNServer02------(Subnet2)---Host2

          Assume an ipsec vpn site-to-site (tunnel mode) scenario joining two subnets

          test 1:
          step1:IPSec tunnel is succesfully established between the two vpn servers.
          step2:ICMP traffic between two hosts is ok
          step3:IPSec is stopped in VPNServer01
          step4:ICMP traffic between two hosts is stopped

          test 2:
          step5:IPSec services are stopped in the two vpn servers
          step6:ICMP traffic between two hosts is ok (icmp traffic is not encrypted , just plain icmp without encryption)
          step7:IPSec is started in only VPNServer01 (IPSec in VPNServer02 remains stopped)
          step8:ICMP traffic between two hosts goes on normally

          Question:
          Why is ICMP traffic not being stopped at step8 in test2?
          is this behaviour is configurable? how?
          How can i get traffic being stopped between these two subnets whenever IPSec tunnel is not established?

          Thanks

          1 Reply Last reply Reply Quote 0
          • S
            spiritbreaker
            last edited by

            Hi,

            what about step6? there is something wrong..this is not possible with inactive tunnel.

            Check ur routing tables, maybe pakets get routed directly. Post ur networkconfig (site1 site2 wan)

            Cya

            Pfsense running at 11 Locations
            -mobile OPENVPN and IPSEC
            -multiwan failover
            -filtering proxy(squidguard) in bridgemode with ntop monitoring

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.