Pass Rules Ignored for IPSec Interface



  • My interfaces and networks:
    WAN -> Internet
    LAN - 192.168.1.0/24
    IPSec -> 10.8.0.0/16 (VPN to Windows Azure Virtual Network)

    My Firewall:
    WAN - no rules (deny all)
    LAN - Anti-Lockout Rule
    LAN - any proto, any source ip/port, any destination ip/port, no additional advanced options.
    IPsec - any proto, any source ip/port, any destination ip/port, no additional advanced options.

    My problem:
    I'm getting packets blocked by the default deny rule, that shouldn't be… see attached screenshot. Am I correct in thinking interface enc0 is the IPsec interface? What I don't understand is why I'm getting packets arriving on enc0 that should really appear on the LAN interface as they come from a host on the LAN. What rule do I need to add to allow these packets?

    An example is:
    enc0 192.168.1.50:8495 -> 10.8.1.4:389 TCP:PA - why is this appearing on the enc0 interface, and why is it being blocked when it should be passed by the LAN or IPsec pass all rule?

    I've tried switching off scrubing, and all the different firewall optimizations.



  • I'm similar problem. But with TCP: RPA you solved this problem?



  • RPA is likely
    http://doc.pfsense.org/index.php/Logs_show_"blocked"_for_traffic_from_a_legitimate_connection,_why%3F

    PA is more likely asymmetric routing, where you have more than just the IPsec as a path between the networks and only part of it's going across the VPN.



  • cmb: Thanks, I think this explains why I'm seeing these packets in the logs, but I was seeing vast quantities of these type of logs, and I was having problems with connections.

    I solved the main cause of the excessive mis-matched packets by following the instructions on the IPsec Troubleshooting page under Packet Loss With Certain Protocols. To fix it, change the value of MSS clamping on VPN traffic in Advanced > Miscellaneous > IP Security to 1320.