IPSec mobile client works, even though no incoming Pass rule on WAN interface



  • Hi,

    I can connect to the VPN fine as an IPSec mobile client despite not having Pass firewall rules for UDP 500 and ESP. Isn't it supposed to be block all incoming, unless otherwise specified?

    The problem is that I can see in the logs that I'm getting constant login/connection attempts from overseas IP addresses to IPSec. I want to be able to lock down the Pass rule to only a handful of local ISP's IP ranges.



  • It's not well documented but AFAIK the pass rules are automatically added when you setup the IPSec VPN and for some reason they are also hidden.  In other words I think it is working as intended.



  • Could you share your sanitized config?  I am having a hell of a time getting it working with iOS 8.1

    Thanks in advance, 
    Dan



  • I'd like to second the request for a working mobile IPsec configuration.  Also, what client-side software are you using?  I've been unable to connect using Shrew Soft (see https://forum.pfsense.org/index.php?topic=84142).

    As for the firewall rules, AFAIK they are created (and intentionally hidden) along with the IPsec rules tab when you enable IPsec, as dstroot said.



  • Here's mine(working with shrew soft and iphone iOS 7.1.2):

    <ipsec><client><enable><user_source>Local Database</user_source>
    <group_source>system</group_source>
    <pool_address>10.10.1.0</pool_address>
    <pool_netbits>24</pool_netbits>
    <dns_server1>192.168.50.1</dns_server1></enable></client>
    <phase1><ikeid>1</ikeid>
    <iketype>ikev1</iketype>
    <interface>wan</interface>
    <mobile><mode>aggressive</mode>
    <protocol>inet</protocol>
    <myid_type>myaddress</myid_type>
    <myid_data><peerid_type>user_fqdn</peerid_type>
    <peerid_data>loreumipsum</peerid_data>
    <encryption-algorithm><name>aes</name>
    <keylen>256</keylen></encryption-algorithm>
    <hash-algorithm>sha1</hash-algorithm>
    <dhgroup>2</dhgroup>
    <lifetime>86400</lifetime>
    <pre-shared-key>KEYKEYKEY</pre-shared-key>
    <private-key><certref><caref><authentication_method>xauth_psk_server</authentication_method>

    <nat_traversal>force</nat_traversal></caref></certref></private-key></myid_data></mobile></phase1>
    <phase2><ikeid>1</ikeid>
    <uniqid>5456653a0c02a</uniqid>
    <mode>tunnel</mode>
    <localid><type>lan</type></localid>
    <remoteid><type>mobile</type></remoteid>
    <protocol>esp</protocol>
    <encryption-algorithm-option><name>aes</name>
    <keylen>256</keylen></encryption-algorithm-option>
    <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
    <pfsgroup>0</pfsgroup>
    <lifetime>28800</lifetime></phase2>
    <enable></enable></ipsec>


  • Rebel Alliance Developer Netgate

    Rules for the WAN for IPsec have been created by default in the background for many years (Since 1.2 at least). When mobile IPsec is setup it has to allow from anywhere since the clients can connect from anywhere.

    These rules can be disabled under System > Advanced on the Firewall/NAT tab, check "Disable all auto-added VPN rules"

    Before you check that box, add your own rules to pass ESP, udp/500 and udp/4500 on the WAN, but you can also add block rules to prevent some from reaching the port.



  • Hugovsky - thanks for the config!



  • @jimp:

    Rules for the WAN for IPsec have been created by default in the background for many years (Since 1.2 at least).

    Since forever actually, that was brought over from m0n0wall. We added an option to disable them for those who want to DIY several years back, in 1.2 IIRC.



  • @jimp:

    Rules for the WAN for IPsec have been created by default in the background for many years (Since 1.2 at least). When mobile IPsec is setup it has to allow from anywhere since the clients can connect from anywhere.

    These rules can be disabled under System > Advanced on the Firewall/NAT tab, check "Disable all auto-added VPN rules"

    Before you check that box, add your own rules to pass ESP, udp/500 and udp/4500 on the WAN, but you can also add block rules to prevent some from reaching the port.

    Excellent. Thanks. I'll give it a go.