[solved] IPSec auto-add WAN rules present but still need to manually add 500/UDP



  • Hello,

    setting up an IPSec VPN between two 2.2 pfsense (running on ESXi).

    I know that when creating the tunnel, the firewall rules are automatically added on the WAN interface. I could verify this point with the following command (as seen in https://forum.pfsense.org/index.php?topic=87371.msg484177#msg484177) :

    pfctl -sa | egrep "isakmp|nat-t|esp" | grep pass
    

    BUT !

    On one of both firewall (let's call it "right") I de-activated the firewall through the cli:

    pfctl -d
    

    I managed to login to the firewall again, re-enabled the firewall (pfctl -e), but then I saw that the IPSec tunnels wouldn't come up. And for sure, there were dropped packets in the firewall logs showing errors on ports UDP/500.

    So I had to manually add an incoming WAN rule for UDP/500 and UDP/4500 ; and it worked again - although the automatic IPSec rules were still present on the firewall.

    So what's wrong here?

    Thank you.
    Nicolas



  • Hello,

    well I upgraded the firewalls to 2.2.1, and this behavior is still present.

    Does anyone else have the same problem?

    Thank you.
    Nicolas


  • Banned

    No. You are overriding the automated rules with something.



  • Well if this is the case I'd like to know what, because I don't have any IPSec related rule on the firewalls, apart from the automated ones:

    The automatic rules (on the main GW):

    
    pfctl -sa | egrep "isakmp|nat-t|esp" | grep pass
    
    pass out inet proto udp from any to 109.190.203.6 port = isakmp keep state label "IPsec - outbound isakmp"
    pass in on vmx0 inet proto udp from 109.190.203.6 to any port = isakmp keep state label "IPsec - inbound isakmp"
    pass out inet proto udp from any to 109.190.203.6 port = sae-urn keep state label "IPsec - outbound nat-t"
    pass in on vmx0 inet proto udp from 109.190.203.6 to any port = sae-urn keep state label "IPsec - inbound nat-t"
    pass out inet proto esp from any to 109.190.203.6 keep state label "IPsec - outbound esp proto"
    pass in on vmx0 inet proto esp from 109.190.203.6 to any keep state label "IPsec - inbound esp proto"
    
    

    The firewall logs (on the main GW):

    
    Mar 23 19:38:48 maingw filterlog: 108,16777216,,1422987731,vmx0,match,block,in,4,0x0,,58,14356,0,none,17,udp,468,109.190.203.6,91.121.51.242,64154,500,448
    
    

    And the resulting IPSec log (on the remote GW):

    
    Mar 23 19:41:09 	charon: 01[IKE] peer not responding, trying again (3/3)
    Mar 23 19:41:09 	charon: 01[IKE] <con1|23>peer not responding, trying again (3/3)
    Mar 23 19:41:09 	charon: 01[IKE] giving up after 5 retransmits
    Mar 23 19:41:09 	charon: 01[IKE] <con1|23>giving up after 5 retransmits
    Mar 23 19:39:53 	charon: 01[NET] sending packet: from 192.168.1.1[500] to 91.121.51.242[500] (440 bytes)
    Mar 23 19:39:53 	charon: 01[IKE] retransmit 5 of request with message ID 0
    Mar 23 19:39:53 	charon: 01[IKE] <con1|23>retransmit 5 of request with message ID 0
    Mar 23 19:39:11 	charon: 11[NET] sending packet: from 192.168.1.1[500] to 91.121.51.242[500] (440 bytes)</con1|23></con1|23></con1|23> 
    

    So either the automated rules don't apply to my setup, or something else is preventing them to work as expected. But how to find out?


  • Banned

    There is this red X in the logs. When you click it, it shows the rule that blocked the traffic. If you still cannot figure it out, then post the entire ruleset. Grepping for something that does not need to match at all due to some generic block rule is useless.



  • All right. I dug a bit more, and found out which rule is blocking the traffic.

    Based on the filterlog:

    
    Mar 23 19:38:48 maingw filterlog: 108,16777216,,1422987731,vmx0,match,block,in,4,0x0,,58,14356,0,none,17,udp,468,109.190.203.6,91.121.51.242,64154,500,448
    
    

    I can see that the rule ID 108 is matching the traffic.

    With pftcl -sr -vv I can see the rules IDs:

    
    @108(1422987731) block drop in log quick on vmx0 inet all label "USER_RULE: Deny All IPv4 from Internet"
    
    

    So my user rule is blocking the traffic because (at least if I base my assumption on the rule ID number) it is matched before the automatic IPSec rules:

    
    @128(1000106383) pass out inet proto udp from any to 109.190.203.6 port = isakmp keep state label "IPsec: INRED to COUR31 - outbound isakmp"
    @129(1000106384) pass in on vmx0 inet proto udp from 109.190.203.6 to any port = isakmp keep state label "IPsec: INRED to COUR31 - inbound isakmp"
    @130(1000106385) pass out inet proto udp from any to 109.190.203.6 port = sae-urn keep state label "IPsec: INRED to COUR31 - outbound nat-t"
    @131(1000106386) pass in on vmx0 inet proto udp from 109.190.203.6 to any port = sae-urn keep state label "IPsec: INRED to COUR31 - inbound nat-t"
    @132(1000106387) pass out inet proto esp from any to 109.190.203.6 keep state label "IPsec: INRED to COUR31 - outbound esp proto"
    @133(1000106388) pass in on vmx0 inet proto esp from 109.190.203.6 to any keep state label "IPsec: INRED to COUR31 - inbound esp proto"
    
    

    So now the questions is: how can I put my "deny all" user rule at the very bottom of other rules (meaning being matched at the end)?


  • Banned

    Deny is the implicit default. Absolutely no need for such rule.



  • Yes indeed, I was not aware of that, and well since my "Deny All" user rule was duplicating the already existing default "deny all"; I decided to remove it, and now everything is working well …

    Thank you for your answers which made me look in the right direction :)

    Cheers.


  • Banned

    Good that it works now. ;)


Log in to reply