PFSense <-> Barracuda Site to Site VPN (Kinda Works)
-
I have setup what looks like a working VPN between my office PFSense 2.0.1 Router and a Barracuda NG200. IPSec tunnel is establised, I can ping hosts on the other end, I can RDP to hosts. When I SSH to hosts on the other end or try http it does not work, the ssh freezes after a few seconds. my browser just loads and loads never displaying anything and takes forever to time out.
For RDP/SSH/HTTP I see these firewall blocks, from my forum research these are just information? related to acknowledgement packets being delivered after the state is closed?
scrub in on all fragment reassemble
block drop in log all label "default deny rule"I have the IPSec Firewall rule set to allow all for all protocol, source and destination.
I can SSH thru the barracuda to another computer on the network, setup SSH forwarding and SSH & HTTP work that way.
I hate it when it kind of works!
-
Sounds like you probably have asymmetric routing. What are the exact block logs you're seeing? How is the routing setup?
-
I have some updates, still have this problem.
I now have two site 2 site VPN's setup between my core PFSense box and two different Barracuda locations. I thought the about the Asymmetrical routing problem, and it seems unlikely. The traffic is making it across the vpn and is being blocked by pfsense, crossing between the enc0 interface to my lan interface.
With the two vpn's I can do lots, pass pings/RDP/SSH but not http/https it gets dropped, see error.
scrub in on all fragment reassemble block drop in log all label "default deny rule"
Still stumped at why some traffic is working.
-
But what do the actual log messages look like from the blocked packets? Knowing the rule doesn't help really, but seeing the log output will give info about the packets that will help determine why they were blocked.
-
this firewall log?
10.4.4.223 is my workstation trying to access 192.168.196.35
Jun 13 14:05:56 router1 pf: 00:00:00.196974 rule 1/0(match): block in on enc0: (tos 0x0, ttl 63, id 57394, offset 0, flags [+], proto TCP (6), length 1396) Jun 13 14:05:56 router1 pf: 192.168.196.35.443 > 10.4.4.233.52086: Flags [.], ack 1720334429, win 54, length 1356 Jun 13 14:05:56 router1 pf: 00:00:00.000108 rule 1/0(match): block in on enc0: (tos 0x0, ttl 63, id 57394, offset 1376, flags [none], proto TCP (6), length 124) Jun 13 14:05:56 router1 pf: 192.168.196.35 > 10.4.4.233: tcp Jun 13 14:05:56 router1 pf: 00:00:00.003695 rule 1/0(match): block in on enc0: (tos 0x0, ttl 63, id 2808, offset 0, flags [+], proto TCP (6), length 1396) Jun 13 14:05:56 router1 pf: 192.168.196.35.443 > 10.4.4.233.52087: Flags [.], ack 3536564842, win 54, length 1356 Jun 13 14:05:56 router1 pf: 00:00:00.000695 rule 1/0(match): block in on enc0: (tos 0x0, ttl 63, id 2808, offset 1376, flags [none], proto TCP (6), length 124) Jun 13 14:05:56 router1 pf: 192.168.196.35 > 10.4.4.233: tcp Jun 13 14:05:57 router1 pf: 00:00:00.227489 rule 2/0(match): block out on bge0_vlan53: (tos 0x0, ttl 64, id 50784, offset 0, flags [DF], proto TCP (6), length 40) Jun 13 14:05:57 router1 pf: 173.194.33.38.80 > 192.168.25.110.56900: Flags [R], cksum 0xd831 (correct), seq 2636034812, win 0, length 0 Jun 13 14:05:57 router1 pf: 00:00:00.633078 rule 2/0(match): block out on bge0_vlan53: (tos 0x0, ttl 64, id 40952, offset 0, flags [DF], proto TCP (6), length 40) Jun 13 14:05:57 router1 pf: 216.74.41.14.80 > 192.168.25.188.50281: Flags [R], cksum 0xbfeb (correct), seq 3836766925, win 0, length 0 Jun 13 14:05:58 router1 pf: 00:00:00.533008 rule 44/0(match): block in on bge0_vlan51: (tos 0x0, ttl 1, id 10822, offset 0, flags [none], proto IGMP (2), length 28) Jun 13 14:05:58 router1 pf: 10.4.4.20 > 224.0.0.1: igmp query v2 Jun 13 14:05:58 router1 pf: 00:00:00.241546 rule 2/0(match): block out on bge0_vlan53: (tos 0x0, ttl 64, id 40100, offset 0, flags [DF], proto TCP (6), length 40) Jun 13 14:05:58 router1 pf: 173.194.33.1.80 > 192.168.25.110.57656: Flags [R], cksum 0xb235 (correct), seq 4154817442, win 0, length 0 Jun 13 14:05:59 router1 pf: 00:00:00.475910 rule 2/0(match): block out on bge0_vlan53: (tos 0x0, ttl 64, id 51815, offset 0, flags [DF], proto TCP (6), length 40) Jun 13 14:05:59 router1 pf: 173.194.33.5.80 > 192.168.25.110.57501: Flags [R], cksum 0x35e8 (correct), seq 4096195589, win 0, length 0 Jun 13 14:05:59 router1 pf: 00:00:00.713010 rule 2/0(match): block out on bge0_vlan53: (tos 0x0, ttl 64, id 1233, offset 0, flags [DF], proto TCP (6), length 40) Jun 13 14:05:59 router1 pf: 173.194.33.46.80 > 192.168.25.110.64338: Flags [R], cksum 0xd1d5 (correct), seq 1868876284, win 0, length 0 Jun 13 14:05:59 router1 pf: 00:00:00.172396 rule 1/0(match): block in on enc0: (tos 0x0, ttl 63, id 57396, offset 1376, flags [none], proto TCP (6), length 124) Jun 13 14:05:59 router1 pf: 192.168.196.35 > 10.4.4.233: tcp Jun 13 14:05:59 router1 pf: 00:00:00.003263 rule 1/0(match): block in on enc0: (tos 0x0, ttl 63, id 2810, offset 0, flags [+], proto TCP (6), length 1396) Jun 13 14:05:59 router1 pf: 192.168.196.35.443 > 10.4.4.233.52087: Flags [.], ack 1, win 54, length 1356 Jun 13 14:05:59 router1 pf: 00:00:00.000793 rule 1/0(match): block in on enc0: (tos 0x0, ttl 63, id 2810, offset 1376, flags [none], proto TCP (6), length 124) Jun 13 14:05:59 router1 pf: 192.168.196.35 > 10.4.4.233: tcp
-
The packets being blocked are ACK packets, so as cmb said, asymmetric routing is the most likely explanation.