Firewall rules for Road Warrior IPSEC VPN?
-
I have followed the instructions here (https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To) to setup a Road Warrior IPSEC VPN on two different pfSense routers. I followed the instructions exactly on both.
The first pfSense already has some site to site IPSEC tunnels setup. Road Warrior VPN works fine on it with a fully updated iPhone. This pfSense where both site to site and road warrior IPSEC is working does not have any apparent firewall rules to allow IPSEC, but it is working.
The second pfSense did not previously have any IPSEC connections setup. I setup the Road Warrior IPSEC VPN per the instructions and got the message: The VPN Server Did Not Respond on the iPhone.
I did a packet capture on the WAN interface and saw traffic to UDP port 500. So i created a WAN firewall rule to allow it and tried again. This time I got a message that the VPN failed to negotiate and saw UDP port 4500 traffic. Created another firewall rule and now the iPhone connects just fine and everything seems to be working.
My questions are:
1. Why does one pfSense need WAN firewall rules while the other does not?
2. Does anything else need to be done to ensure proper VPN functionality on the pfSense where I had to manually create the WAN firewall rules? -
Firewall rules are always needed however in some cases they are made automatically for you. There is an option for automatic firewall rules for IPsec VPNs (System > Advanced, Firewall/NAT tab) โ perhaps those rules are disabled on one?
Is the IPsec VPN using your WAN IP address on both? Or perhaps an IP alias or CARP VIP? That could also affect it.
For IPsec traffic you'll want to allow udp/500, udp/4500, and ESP (the whole protocol, not a port) for proper operation
-
Firewall rules are always needed however in some cases they are made automatically for you. There is an option for automatic firewall rules for IPsec VPNs (System > Advanced, Firewall/NAT tab) โ perhaps those rules are disabled on one?
Is the IPsec VPN using your WAN IP address on both? Or perhaps an IP alias or CARP VIP? That could also affect it.
For IPsec traffic you'll want to allow udp/500, udp/4500, and ESP (the whole protocol, not a port) for proper operation
When the IPSEC firewall rules are automatically made, are they invisible? Or should they show up somewhere?
The pfSense where I didn't need to manually create any rules has no visible rules I can find allowing IPSEC traffic, but it does work.
The 'Disable Auto-added VPN rules' is unchecked on both routers.
IPSEC VPN is using WAN IP on both.
-
They don't show in the GUI, but you'd see them in /tmp/rules.debug or the live pf rules (e.g. pfctl -sr)
