Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSec mobile client traffic to primary firewall passes, but blocked to secondary

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      thejohnny
      last edited by

      Hi All,

      I'm trying to resolve an issue with a mostly working HA setup running IPSec for mobile clients. When I'm connected to the VPN, I can communicate with all hosts on the LAN segment except the secondary firewall. What I'm seeing on the secondary firewall is that the traffic is being filtered by the default deny rule. For instance, if I'm connected to the VPN and fw-1 is primary, I can ping fw-1 and access the web configurator without issue. The same requests to fw-2 are blocked on fw-2 by the default deny all rule. If I disable carp on fw-1 and let fw-2 take over as master, the inverse becomes true (can ping fw-2, but not fw-1).

      While debugging I setup a rule for the LAN interface to pass any from the IPsec subnet and logged the requests. Doing another ping, I saw the rule logged as a pass but still wasn't getting a reply (ping/http/https). This behavior only happens for mobile clients. If I ssh into a host on the LAN segment, I can ping the LAN interface on both firewalls without a problem.

      Anyone have any insight on this? Anything else I can provide to help resolve this?

      Cheers,

      John

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That is normal for any VPN type. The secondary will always believe it has a more direct route back to the client and eat the traffic since it has no connected tunnel.

        You can work around it by adding an outbound NAT rule on the LAN that will NAT traffic leaving from the IPsec mobile subnet going to the secondary to the primary's LAN IP

        You may also want to add a similar rule to the secondary (nat out from the IPsec mobile subnet going to the primary's LAN IP, translated to the secondary's lan IP), so you can get to the primary if it's not master.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.