OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: DaveA67 on May 15, 2018, 03:05:02 pm

Title: Blocked VPN Traffic?
Post by: DaveA67 on May 15, 2018, 03:05:02 pm

Hi

I have an IPSec VPN between an Opnsense virtual machine and a Cisco RV320
The VPN establishes and seems fine.
A PC at the remote (Cisco) end can ping devices at the Opnsense end but not vice versa.
It looks like the Opnsense is trying to send VPN traffic out to the internet instead of down the tunnel.

All the routes etc. look to have been created properly - do I need to manually set up something to route outbound VPN traffic??

Cheers

dave

Title: Re: One way VPN Traffic?
Post by: DaveA67 on May 15, 2018, 03:58:32 pm

If I drop the pf tables with pfctl -d, the ping starts working, but then I have no NAT etc!
As soon as I pfctl - e it stops again so it's definitely being blocked by the firewall, but no matter wht rules I try to add it does not fox it :/

Any ideas?

Cheers

dave

Title: Re: One way VPN Traffic?
Post by: DaveA67 on May 15, 2018, 05:45:34 pm

OK I am confused now.
It seems some VPN traffic is being blocked both ways.
Some traffic is being sent via the IPSec tunnel correctly and some via the WAN??

Please see below

Network ranges at each end are the same but one routes correctly, one does not

   IPsec   May 15 16:37:45   192.168.1.1:36136   172.20.102.10:50802   tcp   IPsec internal host to host   
lan   May 15 16:37:17   192.168.1.1:50809   172.20.102.100:55438   tcp   Default deny rule

Title: Re: Blocked VPN Traffic?
Post by: DaveA67 on May 15, 2018, 05:53:53 pm

This does not make any sense:-


IPsec   May 15 16:32:13   172.20.102.100:55438   192.168.1.1:50809   tcp   Default deny rule   
lan           May 15 16:32:12   172.20.102.100:55445   192.168.1.1:50809   tcp   let out anything from firewall host itself   
IPsec   May 15 16:32:12   172.20.102.100:55445   192.168.1.1:50809   tcp   USER_RULE   
IPsec   May 15 16:32:12   172.20.102.100:55438   192.168.1.1:50809   tcp   Default deny rule   
IPsec   May 15 16:32:11   172.20.102.100:55438   192.168.1.1:50809   tcp   Default deny rule   
IPsec   May 15 16:32:11   172.20.102.100:55438   192.168.1.1:50809   tcp   Default deny rule   
IPsec   May 15 16:32:11   172.20.102.100:55438   192.168.1.1:50809   tcp   Default deny rule   
lan           May 15 16:32:01   172.20.102.100:55444   192.168.1.1:50802   tcp   let out anything from firewall host itself   
IPsec   May 15 16:32:01   172.20.102.100:55444   192.168.1.1:50802   tcp   USER_RULE

data for same IP addresses seesm to flip between IPSec interface and LAN

Title: Re: Blocked VPN Traffic?
Post by: DaveA67 on May 16, 2018, 09:50:52 am

OK so this morning, without me changing anything at all overnight, it's working.