[Solved] IPsec - tunnel down when pf is active

[newsense]

Hi there,


Following https://docs.opnsense.org/manual/how-tos/ipsec-s2s.html as reference.

Setup is fairly barebones - in a lab.

OPNsense FWs - cloned* - no VLANS, one linux VM in each Lan pinging each other, allow any out rules on Lan and IPSec.
        * - this is an old VM deployed years ago, fully up to date on 23.1 - kept as a reference. IPSec was never used on it previously and no NAT changes ever happened on it.


The LANs are in the form of 192.168.AAA.0/24 and 192.168.BBB.0/24 - so nothing unusual there either.

WAN interfaces are on the same vlan, all the IPSec rules mentioned in the documentation are present and there's only one additional rule to manage the FWs through the WAN.

I exported the FW configs and did a side-by -side in WinMerge and everything looks as expected.


The tunnel is not coming up for some reason, and I don't see anything helpful in the Live Logs or the IPSec ones, however as soon as I disable pf it all comes to life, phase 2 appears in IPSec Status Overview and ping works - both with Mutual PSK and Mutual PKI.


It took me a few tries redoing the IPSec config on both ends - thinking I might have chosen dhgroups that may not  be fully supported/working - until I did a config with the absolute defaults mentioned in the doc, and when that still failed I disabled pf as the last thing standing that I could think of.


Seeing how everything is completely open, the Winmerge side-by-side diff is clean with the IPSec things mirrored as expected and it all works with pf stopped - I figured I'd ask here first should there be something obscure I'm missing, otherwise this may be a bug after all ?


Thanks,
N

[newsense]

Attached a screenshot off the MutualPKI setup - working fine as soon as pf is stopped.

[atom]

Hi,

If the tunnel works when you turn off the firewall, then this is not a bug but a missing firewall rule.

Regards,
atom

[newsense]

Yeah well that's the thing though, nothing comes up in the live log as blocked traffic,  the expected wan rules are in place - and they're automatically created.

[atom]

Could you share "Firewall: Rules: WAN" ?

[newsense]

Sure, I just added the last entries (mirrored off course) and rebooted the FWs to see if that changes anything and it's still not coming up, and I'm watching live log or anything that may trigger the last rule and nothing comes up.

LAN side only has the default rules.

[atom]

I don't know why you defined IPsec out rules.
The IPsec In rule limits the WAN access  to 192.168.69.35, which is an internal address and not a WAN address. Then you should add a rule for 4500/udp for NAT-T.

[atom]

These are my rules.

[newsense]

Both WANs are in the same VLAN, one is .16 the other .35 so they can freely communicate with each other, and off course "block private networks" is unchecked on both WANs.

[atom]

As written, 192.168.69.35 is not a WAN address. Leave the Source field empty for now.

[atom]

And set Destination to "WAN address" .

[newsense]

I can take the rule out, or leave it empty as you say, it won't make a difference.

Also, to answer your other question, if you look closely on the let hand side of my screenshot you'll see I didn't manually define anything for IPsec - that magic wand shows they've been automatically created - and I don't know why for outbound as well.

[atom]

Typically, one wants to establish a VPN tunnel between a remote computer and the local computer. The source can therefore never be a local address.

[newsense]

Sure, that would be the end goal, but I stumbled on this weird issue while testing the IPSec config in the lab environment and IPSec seems fine, FW rules as well, and yet it's not working with pf enabled.

Just tried with an allow rule allowing everything from wan net, rebooted the FWs and I'm in the same place.

[newsense]

Meanwhile he IPSec logs don't reveal anything out of the ordinary - simply unable to connect while pf is up.