VPN stops working, one endpoint drops ESP/ISPKMP packets



  • pfSense 2.0.2 on both sides.

    Anyone ever have a situation where one end of the VPN starts dropping IPsec packets (these show up in the filter log) and as a result the VPN stops working?

    A workaround is to manually insert 2 fw rules that explicity allow IPsec packets from the other endpoint, then magically the VPN starts working again.

    So one rule that allows ESP packets from the other endpoint and another rule that allows UDP/500 packets from the other endpoint.

    It seems like perhaps there is some sort of race condition where the appropriate filter rules aren't being added?

    The only factor I can think of is that I've only seen this on clustered/HA pfSense instances which are sharing a CARP IP and that CARP IP is the VPN endpoint…

    Any ideas?



  • The auto-added VPN rules can be disabled. It can continue to work for potentially a long time after disabling those because of the existing states, then something happens that those states are cleared and it no longer works since that traffic isn't being passed. The only circumstance I've ever seen or heard of missing IPsec rules is when they're disabled. CARP isn't directly related, that's widely done and works fine.



  • Ah, that could be it.

    The setting you are referring to is the "Disable all auto-added VPN rules" setting under "System: Advanced: Firewall and NAT"?

    So if that setting is enabled, the specific firewall rules to allow VPN traffic through will not be created, correct?

    Is there a way to see what auto-created rules are generated?



  • @drees:

    Ah, that could be it.

    The setting you are referring to is the "Disable all auto-added VPN rules" setting under "System: Advanced: Firewall and NAT"?

    Yes

    @drees:

    So if that setting is enabled, the specific firewall rules to allow VPN traffic through will not be created, correct?

    Correct.

    @drees:

    Is there a way to see what auto-created rules are generated?

    /tmp/rules.debug



  • Thanks!

    So in this particular case when this issue cropped up, I had 2 VPNs drop between 3 pfSense machines.

    FW-A: Single pfSense box
    FW-B: HA pfSense boxes
    FW-C: HA pfSense boxes

    There are 2 IPsec VPNs: 1 between FW-A <-> FW-B and 1 between FW-A <-> FW-C.

    I did find that the "Disable all auto-added VPN rules" was enabled on FW-A and FW-C which is now disabled, but the setting was already disabled on FW-B.

    Looking at /tmp/rules.debug under "VPN Rules" I see rules on both FW-A and FW-C, but none under FW-B. Any idea why? I've double and triple checked the "Disable all auto-added VPN rules" setting and did note that when enabled, a comment under VPN rules is noted as disabled so I know the setting is being noted.


Log in to reply