IPSEC fw rules don't trigger

[mickbee]

Hi guys,

another odd issue i came across; the scenario is as follows:

APU2 running OPNsense 16.7.13-amd64 on FreeBSD 10.3-RELEASE-p14, connected via an IPSEC v2 LAN to LAN tunnel with a:
Soekris 5501-70 running OPNsense 17.1.r1-i386 on FreeBSD 11.0-RELEASE-p5

Tunnel seems to be up at the time when I'm making my tests - this is confirmed by seeing the traffic on the Soekris box in the fw log; both boxes' config has apropriate rules for allowing ICMP from a number of networks (using aliases) to networks TCP;ICMP;

The log confirms that pings arrived at the remote box and got blocked; clicking on the green arrow in the log entry creates an easy rule and even after filter reload, all ping attempts get blocked.

Note that the same applies to all (around 10) rules within the IPSEC tab - most rely on aliases for source/destination/dest.port but two are IP -> IP / any and those don't work either.

No other 17.1 boxes (have 2 more but diff hw/vm and on 10.3 instead) display the same behavior.

[nspritz]

I'm seeing the same behavior after upgrading to 17.1.

IPSec tunnel established but no TCP/UDP traffic flow. Logs show IPSec traffic being blocked despite allow rules on the IPSec Interace. ICMP (ping) seems to work regardless.

Only workaround for me was to *completely* open up the firewall rules on the IPSec interface at both tunnel endpoints.

Rules on both sides:
IPv4 (proto any) Src (any) --> Dest (any).
This is the only rule config which allows traffic to flow through the tunnel.

Hardware:
ESXi 6.0 VM <--ipsec--> Intel i3 box
Both endpoint running on Intel NICs (VM on passthrough to physical Intel 82574L 1Gb)

Hope this info helps.
Let me know if more hardware detail is needed.
Thanks

[franco]

Can you guys try this?

# sysctl net.inet.ipsec.filtertunnel=1


Cheers,
Franco

[lordwarlock]

Same problem here

Outbound Connections from the Internal OPNsense Network are working, inbound Connections not.

after setting sysctl net.inet.ipsec.filtertunnel=1 inbound Connections are working - with a strange behavior - External IPSEC-IPs are now Tagged as Interface "WAN" - Corresponding Rules created under Firewall > Rules > WAN with Interface WAN are working, the Same Rule created unter "IPSEC" with Interface IPSEC not....

[franco]

Yes, we've seen this and two other errors. It's impossible to get to the bottom with all 3 issues floating around in 17.1. We will release 17.1.1 this week to fix two of them, then look for that last one with the WAN IPsec traffic.

FWIW, the latter can be worked around by disabling private network blocks on WAN and allowing the traffic in from your IPsec networks.

Any help in tracking this down is appreciated.


Cheers,
Franco

[nspritz]

Just updated to 17.1.1

IPSec (site-to-site) tunnel still connecting (phase 1 & 2) as before.
Tunneled traffic seems to be reaching destination WAN interface, but is being blocked by FW, even though IPSec fw rules are wide open on both sides (any:any).

Tried:
-Disabled 'Private Network Blocks' on WAN interface (both endpoints) as suggested.
-Started traceroute + ping from site-A --> site-B

Quick observations:
On site-B: fw logs now show ipsec traffic blocked on the WAN interface.
So I created a pass rule for the tunneled network (A) --> destination network (B) with protocol:any on the WAN int.

Now no more blocked logs but still no traffic reaching destination host. Hmm.

My 17.1.1 (testing env) OPN config has not changed from my 16.7.14 production env, which still works


Hope this helps, and please let me know if you need any more information.
When time allows again, I will try digging into this further.

Thanks.

[franco]

This is something that's causing a headache, we are entirely unsure why the WAN interface receives the incoming IPsec traffic. This does, however, only affect incoming connections not previously tracked. We're looking into it at the moment.

Workaround is disable bogon private block on WAN, adding subnet exceptions for IPsec networks.


Cheers,
Franco

[lordwarlock]

Updated to 17.1.1 - still not working

Created a Rule IPSEC <net-a> to <net-b> allow, pingtest, nothing happend

created a Rule IPSEC * * allow -> pingtest, worked

Tried a SSH Session, worked for ~10 Seconds, then the session hangs, Firewall Log shows blocks on these sessions.

Reverted to sysctl net.inet.ipsec.filtertunnel=1 - everything works again...strange

[miclan]

Same problem here.
Did someone find a solution?

My situation is:
VPN site A (main) 17.1.1
VPN site B (remote office 1) 17.1.1
VPN site C (remote office 2) 16.7.14

From A to B connection is OK, but no traffic on LAN
From A to C connection and lan traffica OK

[Andreas]

Reference to

https://forum.opnsense.org/index.php?topic=4385

[guest15510]

Hello!

I have/had the same issues. All the hint's were not working after i did the following:
Used a Backup-Config, rewrote the IPSEC-firewall part to the following:
"IPv4*     *    *    LAN net    *    * "

saved the XML und uploaded the config (Firewall-Rules only!) - Everything is working now.
After several tests i can say it could be something with the "rule-creation".
Via GUI it's not working for me.

Current Version:
OPNsense 17.1.3-amd64
FreeBSD 11.0-RELEASE-p8
LibreSSL 2.4.5

Just my 2 cents.... Cost me at least 13 hours 

[amp]

Hi all, i would like to say hello this is my first post on the forum, i am a new opnsense user on a deciso appliance.

i am also having similar issues that VPN traffic is blocked by the firewall despite rules set.

@ SystemSh0cker, Can you elaborate on your solution a bit more? I think i don't understand yet completely how you have done it.
Did you backup the complete config, then deleted all firewall rules beside the one:

"IPv4*     *    *    LAN net    *    * "

and then restored only the firewall rules from the backup again?

Thanks for clarifying.

[markus.mantlik]

Hello,

this is also my first post on this forum. We are testing the opnsense appliance and most looks good so far. Beside one problem with IPSEC. Which makes it impossible for us to switch over to opnsense.

As already posted here before IPSEC traffic only works with a ANY <-> ANY firewall rule enabled.
There are a lot of posts here about this problem, but no real solution. We do need firewall rules on IPSEC tunnels.

Does anyone still work on this problem? If yes, is there already a timeline known when an update will be available?

Regards,
Markus

[liberomic]

Hi all,

I have the same problem from many days but this big issue is not considered highest from support.

in this post you can find my workaround
https://forum.opnsense.org/index.php?topic=4385.0

See you
Liberomic