Ipsec, SIP, RDP inbound packets being blocked by firewall?



  • Here a quick rundown of my test set up:
    Windows 2012 R2
    PfSense 2.2 sep 29th build on hyper-v

    3 interfaces
    Wan - dhcp
    LAN1 - 192.168.0.0/24
    LAN2 - 10.0.10.0/24

    LAN2 is my test network and all that concerns this issue.
    Dhcp is handed out on lan2 via pfSense.

    For testing purposes all firewall rules were removed and created an "allow any/all" on the WAN & LAN1&2

    FYI Enabling Disable all packet filtering. breaks all network traffic thus unusable.

    Issue 1
    I set up an ipsec tunnel to my corporate location (10.0.1.0/24) that is running old pfsense 2.0.1 the same way as I do for all 7 other remote locations. When i bring up the tunnel pfSense on the hyper shows connected and no errors in the logs but on the other end of the tunnel (pfsense 2.0.1) shows disconnected. No traffic.

    Here is the logs from the corporate location:

    
    Sep 30 20:01:47	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: can't start the quick mode, there is no ISAKMP-SA, XXXXXXXXXXXX:XXXXXXXXXXXX
    Sep 30 20:01:05	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: can't start the quick mode, there is no ISAKMP-SA, XXXXXXXXXXXX:XXXXXXXXXXXX
    Sep 30 20:00:52	racoon: [Compsmith]: INFO: ISAKMP-SA deleted XXX.XXX.XXX.XXX[500]-XXX.XXX.XXX.XXX[500] spi:XXXXXXXXXXXX:XXXXXXXXXXXX
    Sep 30 20:00:52	racoon: INFO: purged ISAKMP-SA spi=XXXXXXXXXXXX:XXXXXXXXXXXX.
    Sep 30 20:00:52	racoon: INFO: purging ISAKMP-SA spi=XXXXXXXXXXXX:XXXXXXXXXXXX.
    Sep 30 20:00:52	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] INFO: DPD: remote (ISAKMP-SA spi=XXXXXXXXXXXX:XXXXXXXXXXXX) seems to be dead.
    Sep 30 20:00:51	racoon: ERROR: XXX.XXX.XXX.XXX give up to get IPsec-SA due to time up to wait.
    Sep 30 20:00:41	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Sep 30 20:00:41	racoon: ERROR: failed to get sainfo.
    Sep 30 20:00:41	racoon: ERROR: failed to get sainfo.
    Sep 30 20:00:41	racoon: [Compsmith]: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
    Sep 30 20:00:41	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: notification INVALID-HASH-INFORMATION received in informational exchange.
    Sep 30 20:00:31	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: notification PAYLOAD-MALFORMED received in informational exchange.
    Sep 30 20:00:28	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    Sep 30 20:00:28	racoon: ERROR: failed to get sainfo.
    Sep 30 20:00:28	racoon: ERROR: failed to get sainfo.
    Sep 30 20:00:28	racoon: [Compsmith]: INFO: respond new phase 2 negotiation: XXX.XXX.XXX.XXX[500]<=>XXX.XXX.XXX.XXX[500]
    Sep 30 20:00:21	racoon: [Compsmith]: [XXX.XXX.XXX.XXX] ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1).
    
    

    The vm pfSense is uneventful and just show connection established making me think inbound packets are being blocked by the firewall to complete the handshake.

    FYI OpenVPN seems to work but i can not run it simultaneously with ipsec on the same destination subnet.

    Issue 2
    On my same Server 2012 R2 hyper-v I brought up a Asterisk server.  Got a few physical SIP phones communicating on the LAN and making OUTBOUND calls. Inbound is not working at all, Asterisk CLI verbose shows nothing is making it to the server/ no verboose output. Again thinking that some inbound packet are being blocked.

    Issue 3
    No matter what rules i have in place, including the current allow all/any rule I have now, I can not RDP in where as it was fine on my old netgate appliance with 2.1.5

    Issue 4
    ASterisk service pfSense add is broke.

    If anyone can chime in that either has these issues or admins that have replicated these issues so that I know its not on my settings Id appreciate it. Also if there are any workarounds please let me know.

    Thanks
    WW



  • Can you post a screen shot of your Inbound NAT and WAN firewall rules?



  • @chpalmer:

    Can you post a screen shot of your Inbound NAT and WAN firewall rules?

    Here ya go…basically its wide open. Right?

    I have no entries for NAT port forwarding, 1:1 Outbound is Automatic...



  • Looks like it…

    I always set my rules to log.  You find that option down lower on the rules page when your building rules.  That way I can see if the packet is actually making it.

    What are you seeing in the firewall logs now?



  • @chpalmer:

    Looks like it…

    I always set my rules to log.  You find that option down lower on the rules page when your building rules.  That way I can see if the packet is actually making it.

    What are you seeing in the firewall logs now?

    After enabling logging on the WAN and LAN2 and ran a few test with RDP I can see the packet allowed by the WAN but nothing on the LAN/destination server. Should I see that packet in the LAN rule?



  • You'll never see more than 1 log entry for a single permitted connection, nothing on LAN in that scenario. It's getting passed, check the state, Diag>States. Probably shows "SINGLE:NO TRAFFIC", which means the target host isn't responding.



  • @cmb:

    You'll never see more than 1 log entry for a single permitted connection, nothing on LAN in that scenario. It's getting passed, check the state, Diag>States. Probably shows "SINGLE:NO TRAFFIC", which means the target host isn't responding.

    Testing with ms rdp.  From a REMOTE_IP:18786  i see that the packet got passed to my MY_WAN_IP:3389. In states I only see```
    MY_WAN_IP:3389 <- REMOTE_IP:18786 CLOSED:SYN_SENT



  • @cmb:

    You'll never see more than 1 log entry for a single permitted connection, nothing on LAN in that scenario. It's getting passed, check the state, Diag>States. Probably shows "SINGLE:NO TRAFFIC", which means the target host isn't responding.

    Thanks for the help everyone…I got RDP and SIP working. I needed to NAT port forward and let the filter rule auto create to get the packets passed correctly.

    Now my issue is just the IPSEC vpn..

    I showed connected on both ends, but no traffic either way...
    This post is what im experencing
    https://forum.pfsense.org/index.php?topic=82126.0

    Im on the 10/2 build.. Is this still an known issue?



  • The ipsec issue should be fixed now.



  • @ermal:

    The ipsec issue should be fixed now.

    Great news! Thanks for fixing this now I can really test this out on hyper-v the way we need it. When do the snapshots get pushed?

    Edit
    I think its posted…does the 10/7 build include the fix?

    EDIT 2
    Yep working now!!! Thanks again!


Log in to reply