[SOLVED] IPSec traffic does not show in firewall logs



  • I created a few IPSec VPNs from a pfSense box to remote sites with Cisco ASA 5505's.

    Local: 192.168.0.0/24

    Remote-Site-1: 192.168.1.0/24

    Remote-Site-2: 10.0.0.0/24

    The VPNs are established.  I can ping hosts across the VPN.  When I go to Firewall -> Rules -> IPSec, it informs me that since there are no rules, no traffic will be allowed across the VPN and that I need to make rules for it.

    Clearly this isn't the case since I can ping across the VPN.

    The customer is informing me that formerly working FTP clients from the 2 remote sites back to the main site are no longer working correctly (as in this site used to have a Cisco ASA like the other sites but I've replaced it with the pfSense box.  Now, I have ordered routers for all 3 locations and plan on them all being pfSense with OpenVPN, but in the meantime, I'd like to get this working.

    I tried adding rules to allow the remote host, destination port 21, to the host running the FTP server at the main location, and told it to log the rule.

    After a while, I'm looking in system logs and can't find any packets that match.

    So, just for the heck of it, I remove the FTP allow rules and instead allow all protocols, all traffic, all ports, etc, the only specification was interface IPSec. I left the logging on for troubleshooting purposes.

    I started a ping from a host at the main office to a host at a remote office.  The packet is not found in system logs, firewall.

    So what is allowed by default across the VPN and why can I not find any VPN traffic in the logs? (Block or Allow)


  • LAYER 8 Netgate

    Do you understand that the IPsec tab firewall rules on each node apply to traffic being RECEIVED from the remote and allowed into the local pf?

    Remote site 1 will need IPsec rules determining what local assets can be accessed by 10.0.0.0/24

    Remote site 2 will need IPsec rules determining what local assets can be accessed by 192.168.1.0/24.  These can be as open or restrictive as you like.

    Pass IPv4 any any any is usually what people do to get it going.  Then they further restrict it to only those local assets the remote network needs to access.

    What traffic is routed INTO and OUT OF IPsec is determined by the Phase 2 entries.  What traffic is allowed from IPsec into pf is determined by the IPSec rules.



  • First off, thank you for your reply.  I appreciate any help I can get.

    Do you understand that the IPsec tab firewall rules on each node apply to traffic being RECEIVED from the remote and allowed into the local pf?

    No, this is why I'm here, I have very little experience with VPNs.  So you're saying that when I create the VPN, all outbound traffic is allowed and I just need firewall rules to define what traffic is allowed from the remote sites back to the main site?

    What if I wanted to restrict outbound traffic on the VPN as I do on LAN?  Is this possible?  Would I have to create a Block All rule at the bottom of the list as a catchall?

    Pass IPv4 any any any is usually what people do to get it going.  Then they further restrict it to only those local assets the remote network needs to access.

    Ok, so you think my allow all rule should fix whatever was causing the FTP issues?  It was working before I put the pfSense box in.  Why isn't any of the traffic being logged? Nothing is showing for the IPSec interface at all.  Shouldn't I see something being denied?  I think the Phase 2 negotiations must be correct if I can ping between the hosts?


  • LAYER 8 Netgate

    @dlogan:

    No, this is why I'm here, I have very little experience with VPNs.  So you're saying that when I create the VPN, all outbound traffic is allowed and I just need firewall rules to define what traffic is allowed from the remote sites back to the main site?

    What if I wanted to restrict outbound traffic on the VPN as I do on LAN?  Is this possible?  Would I have to create a Block All rule at the bottom of the list as a catchall?

    Not sure on the ASAs.

    In general pfSense firewall rules are applied to traffic coming INTO an interface.  So traffic from IPsec nodes is on the IPsec tab.  If you wanted to restrict traffic from LAN to the remote IPsec network, you would place a rule on LAN.  To me it makes more sense for the remote end to determine what is and is not allowed into the router there (on its IPsec tab, or the ASA rules in this case.)

    There is always a default block any any rule in pfSense.  Traffic not explicitly passed will be blocked.

    Ok, so you think my allow all rule should fix whatever was causing the FTP issues?  It was working before I put the pfSense box in.  Why isn't any of the traffic being logged? Nothing is showing for the IPSec interface at all.  Shouldn't I see something being denied?  I think the Phase 2 negotiations must be correct if I can ping between the hosts?

    Sounds like you should be able to ping in one direction but not the other if you have no rules on your IPsec tab.  FTP in which direction?  There's a diagram in my sig.  If you refer to pfSense A as your pfSense and pfSense C as one of the ASAs we can use it to visualize your network.  It sounds like Host A1 should be able to FTP to Host C1 but C1 to A1 should be blocked absent IPsec rules on A.  I'll have to see what is logged by IPsec rules and when.  I'm pretty much exclusively OpenVPN these days.

    You just have to make sure the phase 2 entries match.  They create the routes but don't pass or block anything.



  • I just noticed the IPSec sub-forum, should I have posted this there?

    Anyway,
    Site A - my main site where I put the pfSense router (replaced an ASA)
    Sites B & C - remote sites both still have ASA's.

    FTP is from sites B & C to site A.

    I put an entry in the IPSec firewall rules at Site A to all ANY protocol, from ANY, to ANY just for testing.  I also check the box to log packets matching.

    So far nothing is logged.  I suppose I will need access to the machines in question to do further testing.  I don't know how often the remote hosts attempt to FTP to the Site A host.


  • LAYER 8 Netgate

    If you feel like it post the IPsec rule screenshot.  That should be all that's necessary provided the ASA rules accommodate what you want to do.

    What you have done will log passes, not rejections.  Rejections will be logged by the default block rule (i think).



  • I know that enabling logging is for Pass traffic, not block.  But I don't see ANY traffic, neither PASS nor BLOCK.  It seems that I should see my ping traffic at least.

    Does the VPN traffic bypass LAN/WAN rules?  If the traffic is matching something allowed from LAN will it not show up under the IPSec interface logs?  I'm confused.



  • Connections initiated from site B and C coming in to site A should be logged by that rule (e.g. if the remote site starts an FTP from a server at site A).
    If you ping from site B or C to site A that should also be logged.
    But if you ping from site A to site B or C then the logging depends on the rule/s on the site A LAN interface, where the ping originates.

    You mentioned "the IPSec interface logs" in your text, not sure what you meant there. Make sure you are looking in Status->System Logs, Firewall tab, to see the logged packets.



  • You mentioned "the IPSec interface logs" in your text, not sure what you meant there. Make sure you are looking in Status->System Logs, Firewall tab, to see the logged packets.

    Sorry, yes, that's where I'm looking.  I search for any packets that are PASS, I find none.  I search for Block packets from the remote host IP (the host at the remote site that should be initiating the FTP transfer), I find none.


  • LAYER 8 Netgate

    On which end?  They will only appear on the destination end of the connection where the connections are coming IN from IPsec.



  • Ok, let's just ignore this particular issue until I can get remote access to the machines that are initiating the FTP traffic.  I only have access to the main office right now.  Another admin at the remote site is telling me his host is trying to initiate FTP from their (remote site with ASA) to my host (main site with pfSense).  I see no traffic neither BLOCKED from his hosts's IP, nor any PASSED whatsoever.

    Here is where I'd like focus this discusstion until I can get remote access to those machines…

    I do not allow All traffic to pass outbound from LAN as many probably do.  I have it restricted to ICMP echo requests, HTTP, HTTPS, FTP, some email protocols POP, POP/S, IMAP, IMAP/s, SMTP, SMTPS, SUBMISSION maybe a couple of others.

    While I am pinging across the VPN, I disabled the rule that allows ICMP echo requests from LAN to *.  This stopped the pings across the VPN.  This is why I was asking earlier if IPSec traffic bypassed the WAN/LAN rules.  Obviously it does not.

    I took the ICMP test a step further, and added a rule in Firewall, Rules, LAN that allows Any protocol to the LAN subnet of the remote networks. Initially, as with all my other LAN rules, under advanced, i have the gateway configured as WAN1toWAN2FAILOVER and a second identical rule with WAN2TOWAN1FAILOVER.  These are failover groups for my multi-wan situation. The rules work for outbound traffic to the world, but for some reason will not work for the VPN traffic.  In order to get it to work for the VPN, I had to leave the gateway as default *.

    Interestingly enough, the ICMP rules were set to use the failover groups and were working, but all protocols don't work to failover groups for vpn traffic.

    Hopefully a few screenshots will help clarify what I mean here.

    All of this is being done from the main site, site A.  I'm RDP'd to a computer there running pings to hosts at both site B and site C.

    First item, my original rule to allow ICMP echo requests to *, using the failover groups as the gateway:

    This works when enabled.  I am able to ping hosts at both remote sites.

    Second item, in this example the ICMP rules above are disabled:

    This does not work.  I am unable to ping remote hosts.

    Third item, removed entries using failover groups, added one with default gateway as the default *:

    This works.  I am able to ping remote hosts.

    Any ideas on this?

    I'm assuming that if I need LAN rules to allow traffic through the VPN, then I also need WAN rules to allow the traffic coming back?  If so, how do I make the WAN rules?  Allow the remote public IP?  Or the remote local subnets?  I have the option on WANs to block private networks …is that going to kill me?


  • LAYER 8 Netgate

    No.  The only WAN rule you need is for IPsec itself and they are generated automatically when IPsec is enabled on an interface.  Your WAN interface never sees traffic arriving from your remote IPsec networks.  Connections from those networks come in on the "IPsec" tab.

    I'm pretty sure if you're multi-WAN you need rules ABOVE the rules that send traffic to your failover groups that send VPN traffic to your default gateway.

    Pass IPv4 any source LAN net dest CannRemoteLANSubnets port any gateway *

    Then your rules sending all other LAN net traffic to the failover groups.

    pfSense routes differently when you set gateways in rules and you have to exclude other traffic first.  Sort of like having to exclude your VPN traffic from NAT in the ASAs.



  • Thank you.  Everything is working now.



  • The principle here is that a rule that specifies a gateway/group will force the traffic to that gateway/group.
    For VPNs and other links that have a known set of subnets reachable on the other end, the ordinary routing table knows how to get there - you do not want to force that traffic out some WAN. So put rules on LAN to pass that VPN traffic without specifying a gateway - that traffic will then be routed using the ordinary routing table, which will get it to its destination just fine.
    Then later rules can specify gateway/groups to send other traffic out whatever combination of WANs you like.


Log in to reply