IPSEC / Rules

  • Alright, I am loosing my mind.($@##*#Q&$^Q@#$^*76483764)  Thats a different story.  Here is the general jist of what is going.  I screwed my PFsense installation and had to rebuild.  I have everything up and running.  Tunnels are up pacages installed and the system is running like a champ.  However I have run into one minor issue.

    On all three of my VPN's they are one way.  I can go to them but they can't come back to me.  That is a BIG problem.  part of my personnel business is dependent on this working.  I am using the following build:

    built on Tue Jan 15 23:13:25 EST 2008

    I really need some help fixing this issue like asap:

    Proto  Source              Port    Dest                Port      Gateway  Schedule    Description
    TCP    192.168.xx.0/24  *      192.168.xx.0/24  *        *                            IPSEC connectivity (rule)

    I have not had any luck woring on this issue so far and wondering if any one has seen anythign like it.


  • Update:


    I figure instead of opening a full tunnel between sites I try opening select port.  So far this approarch works.  It was in the plan to start this level of management on the firewall but I was not ready to do it now.  It looks like my had has so to speak been forced into a little heavy duty work.

    Still I like to know why the full tunnel will not come up??


  • As I stated in my last update I have to put rule 1. in place for the rules 2 and 3 to work.  This is a great worl around  It cost me 2 hours of my time.  As a consultant my time gets expensive realy quick.

    1. TCP  192.168.xx.0/24  *                     192.168.xx.0/24                       *  *     XYZ company IPSEC connectivity   
    2. TCP  192.168.xx.0/24  21 (FTP)           192.168.xx.0/24  21 (FTP)          *         Xyz company FTP over IPSEC connectivity   
    3. TCP  192.168.xx.0/24  3389 (MS RDP)   192.168.xx.0/24  3389 (MS RDP)  *         XYZ company MS RDP over IPSEC connectivity

    PF Senese has solved alot if issues for me.  I not changing products now.  I have too much time hardware and experience with it to start on something new.  This issue really caught me off guard.  I have alot of automation in place for customer nightly and weekly backups that depend on these IPSEC tunnels.

    I have gotten completely away from using open FTP and other protocols.  Everything is done accross a secure VPN tunnel and the tunnels can't cross over so one customer can't see data from a different one.  I have 4 years of this type of work under my belt and i really now getting a handle on if.  PF Sense has been the best and simiplist firewall I have used to do some of the exptreamly complicated things I am doing.  I still have alot to learn but hope to still be able to assist in the forum.

    Any thoughts on what might have changed in the rule set area to make the above rulles work that way?

  • I have now added ICMP to the rule set and can ping from site to site again.  I found that in the search for the forum.

    Going back to my orginal question, If I open the tunnel with full connectivity item 1 in my rules, I should not have to add items 2 & 3 plus the icmp rule.  Does any one know why I would have to do that?

    I remove rule 1 and the other rules do not work. I update to the latest snapshot of rc-4 tongiht and see if that resolves the issue.

  • Set protocol to any.
    In your posted rule you have as protocol TCP.

Log in to reply