1
General Discussion / IPSec rules didnt trigger
« on: June 14, 2024, 12:36:45 am »
Hey folks,
long story short:
Problem:
Network A does not receive the responses from network B
RCA:
- The networks are connected via IPSec IKEv2 site-to-site
- Phase 1 proposal and authentication are the same here
- Both have a static public IPv4 address
- Network A has 5 local networks in phase 2
- Network B has 2 local networks in phase 2
- Network A has 10 entries in phase 2: Each network from A (local) to each network in network B (local)
- There are 8 entries on network B in phase 2: Each network from B (local) to each network in network A (local)
- Network A operates the OpenVPN. This has its own additional network, which is why there are also 2 more phases so that they come to both local network B networks
- Network A IPSec interface rules from the networks of A and B each as source and destination
- Network A IPSec interface rules from the networks of B and A each as source and destination
- IPSec tunnels are available on both sides according to the status overview
- Network A ping to network B IPs not possible
- Network B ping to network A IPs possible
Found discrepancies - does an allow all rule fix them?
- An allow all rule works - is it because some rules are missing?
Drill deeper:
- I have created a description in the allow all rule that I can filter in Live View
- I created a ping that was not possible before and filtered it out in Live View with allow all rule
- I have analyzed this and found that the following type of rule is needed:
- - Interface: IPSec
- - Type: Pass
- - Direction: in
- - Source: net1 Network A
- - Destination: net1 Network B
Oh wonder of wonders - exactly this rule exists...
After lengthy research, we can't understand why the IPSec interface rules in network B don't seem to work. They are all enabled and having no special configurations - just interface, dir, source, destination.
Any ideas?
long story short:
Problem:
Network A does not receive the responses from network B
RCA:
- The networks are connected via IPSec IKEv2 site-to-site
- Phase 1 proposal and authentication are the same here
- Both have a static public IPv4 address
- Network A has 5 local networks in phase 2
- Network B has 2 local networks in phase 2
- Network A has 10 entries in phase 2: Each network from A (local) to each network in network B (local)
- There are 8 entries on network B in phase 2: Each network from B (local) to each network in network A (local)
- Network A operates the OpenVPN. This has its own additional network, which is why there are also 2 more phases so that they come to both local network B networks
- Network A IPSec interface rules from the networks of A and B each as source and destination
- Network A IPSec interface rules from the networks of B and A each as source and destination
- IPSec tunnels are available on both sides according to the status overview
- Network A ping to network B IPs not possible
- Network B ping to network A IPs possible
Found discrepancies - does an allow all rule fix them?
- An allow all rule works - is it because some rules are missing?
Drill deeper:
- I have created a description in the allow all rule that I can filter in Live View
- I created a ping that was not possible before and filtered it out in Live View with allow all rule
- I have analyzed this and found that the following type of rule is needed:
- - Interface: IPSec
- - Type: Pass
- - Direction: in
- - Source: net1 Network A
- - Destination: net1 Network B
Oh wonder of wonders - exactly this rule exists...
After lengthy research, we can't understand why the IPSec interface rules in network B don't seem to work. They are all enabled and having no special configurations - just interface, dir, source, destination.
Any ideas?