PFS <> ASA IPSec tunnel help
-
@cmb:
Is that inbound ESP being blocked? Should show in the firewall log if it is, unless you disabled logging on the default deny rule. There are two reasons you see ESP coming in and nothing actually decrypting that traffic - it's getting blocked, or it isn't for an active SA. The rules to allow that ESP would be automatically added unless you have that disabled under System>Advanced.
Sure enough… firewall. I never saw it in the logs. However, this makes me question what I know about firewalls. Shouldn't traffic either pass or fail? It's like once the stream was initiated and flowing - it just let the traffic pass. Can you explain that?
I checked in System>Advanced>Firewall/NAT and the "Disable auto added VPN rules" is not checked... so I'm not quite sure why the ESP rule didn't make it in.
thanks
EDIT: I just checked on the new 7541 I rolled out and it did not have this rule for ESP auto-added, either.
-
Outbound ESP from your side and replies to it were being passed, ESP initiated on the other side was not. That would make it mostly if not entirely work when you initiate it, but not in the opposite direction.
Assuming you still have the auto-added VPN rules enabled, what do you see in the output for command:
grep esp /tmp/rules.debug
-
Here you go:
[2.1-RELEASE][admin@sipsense.localdomain]/root(3): grep esp /tmp/rules.debug
pass in quick on $WAN reply-to ( rl1 24.118.172.1 ) inet proto esp from 63.238.x.x to any keep state label "USER_RULE: Allow ESP from XRD ASA"
pass out on $WAN route-to ( rl1 24.118.172.1 ) proto esp from any to 63.238.x.x keep state label "IPsec: XRD ASA - outbound esp proto"
pass in on $WAN reply-to ( rl1 24.118.172.1 ) proto esp from 63.238.x.x to any keep state label "IPsec: XRD ASA - inbound esp proto"