Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSEC One Way Traffic-ish (seems like a bug)

    IPsec
    2
    7
    3.7k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      m1dst
      last edited by

      Hi pf gurus.

      I really hope you can help put me out of my misery.

      I am using 2.0-RC3.

      I have setup a IPSEC VPN between our office and our remote data centre.  The tunnels come up fine.  I have added (while testing) an IPSEC rule to accept everything.

      If I ping a host at the data the traffic leaves the lan via the vpn and all is well.
      If I ping a host in the office from the data centre then I am told they can see traffic leave via the vpn.  I can see it if I do a packet capture but it doesn't get thorough.

      If I then jump onto the host I can't ping and do a reverse ping (office to dc), that works AND the ping (dc to office) magically starts working.

      Any thoughts where I should look?

      1 Reply Last reply Reply Quote 0
      • P
        Perry
        last edited by

        Firewall issue on office host?
        Do you have pfSense on both ends and are they the default gateway?
        If not "Bypass Firewall Rules for Traffic on Same Interface" (do a forum search ) and static routes might be needed.

        /Perry
        doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • M
          m1dst
          last edited by

          pfSense in the office which is also the gateway (multi-wan) whilst the DC is running a Fortigate 200A.

          "Bypass firewall rules for traffic on the same interface" is not currently ticked.  Changing it made no difference.

          If I do a packet capture on the pfSense IPSEC if, I see nothing whilst the ping is not working.  As soon as the ping starts working (forcing it as above) then packets appear in the capture.

          I see nothing obvious in the firewall log to show anything is being blocked.

          1 Reply Last reply Reply Quote 0
          • P
            Perry
            last edited by

            Google "asymmetric routing" as it must be the problem.
            To eliminate you could setup pfSense at home and make a site to site connection to the office.

            /Perry
            doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • M
              m1dst
              last edited by

              While not having had the chance to setup a tunnel from home to test as suggested, I have built another install on a spare box at work.

              Vanilla install with minimum config (LAN and WAN etc)
              Single WAN, no load balancing, nothing.
              Setup the IPSEC Phase1 and Phase2s.
              Add rule to IPSEC if.
              Bring tunnel up.
              Test

              Result…  Exactly as described earlier.

              I will keep trying and post back any other findings in the hope it helps someone else.

              1 Reply Last reply Reply Quote 0
              • P
                Perry
                last edited by

                I have no problem on a snapshot from jun 14

                /Perry
                doc.pfsense.org

                1 Reply Last reply Reply Quote 0
                • M
                  m1dst
                  last edited by

                  I can confirm that the problem WAS NOT my config or PF but in fact it was the data centre config and not managed by me.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.