OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • IPSEC fw rules don't trigger
« previous next »
  • Print
Pages: [1]

Author Topic: IPSEC fw rules don't trigger  (Read 9558 times)

mickbee

  • Newbie
  • *
  • Posts: 15
  • Karma: 0
    • View Profile
IPSEC fw rules don't trigger
« on: January 21, 2017, 11:46:05 pm »
Hi guys,

another odd issue i came across; the scenario is as follows:

APU2 running OPNsense 16.7.13-amd64 on FreeBSD 10.3-RELEASE-p14, connected via an IPSEC v2 LAN to LAN tunnel with a:
Soekris 5501-70 running OPNsense 17.1.r1-i386 on FreeBSD 11.0-RELEASE-p5

Tunnel seems to be up at the time when I'm making my tests - this is confirmed by seeing the traffic on the Soekris box in the fw log; both boxes' config has apropriate rules for allowing ICMP from a number of networks (using aliases) to networks TCP;ICMP;

The log confirms that pings arrived at the remote box and got blocked; clicking on the green arrow in the log entry creates an easy rule and even after filter reload, all ping attempts get blocked.

Note that the same applies to all (around 10) rules within the IPSEC tab - most rely on aliases for source/destination/dest.port but two are IP -> IP / any and those don't work either.

No other 17.1 boxes (have 2 more but diff hw/vm and on 10.3 instead) display the same behavior.
Logged

nspritz

  • Newbie
  • *
  • Posts: 14
  • Karma: 4
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #1 on: February 06, 2017, 11:50:41 am »
I'm seeing the same behavior after upgrading to 17.1.

IPSec tunnel established but no TCP/UDP traffic flow. Logs show IPSec traffic being blocked despite allow rules on the IPSec Interace. ICMP (ping) seems to work regardless.

Only workaround for me was to *completely* open up the firewall rules on the IPSec interface at both tunnel endpoints.


Rules on both sides:
IPv4 (proto any) Src (any) --> Dest (any).
This is the only rule config which allows traffic to flow through the tunnel.

Hardware:
ESXi 6.0 VM <--ipsec--> Intel i3 box
Both endpoint running on Intel NICs (VM on passthrough to physical Intel 82574L 1Gb)


Hope this info helps.
Let me know if more hardware detail is needed.
Thanks :)
« Last Edit: February 06, 2017, 11:53:20 am by nspritz »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13694
  • Karma: 1176
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #2 on: February 06, 2017, 02:06:45 pm »
Can you guys try this?

# sysctl net.inet.ipsec.filtertunnel=1


Cheers,
Franco
Logged

lordwarlock

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #3 on: February 06, 2017, 06:02:11 pm »
Same problem here

Outbound Connections from the Internal OPNsense Network are working, inbound Connections not.

after setting sysctl net.inet.ipsec.filtertunnel=1 inbound Connections are working - with a strange behavior - External IPSEC-IPs are now Tagged as Interface "WAN" - Corresponding Rules created under Firewall > Rules > WAN with Interface WAN are working, the Same Rule created unter "IPSEC" with Interface IPSEC not....

Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13694
  • Karma: 1176
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #4 on: February 06, 2017, 06:07:58 pm »
Yes, we've seen this and two other errors. It's impossible to get to the bottom with all 3 issues floating around in 17.1. We will release 17.1.1 this week to fix two of them, then look for that last one with the WAN IPsec traffic.

FWIW, the latter can be worked around by disabling private network blocks on WAN and allowing the traffic in from your IPsec networks.

Any help in tracking this down is appreciated.


Cheers,
Franco
Logged

nspritz

  • Newbie
  • *
  • Posts: 14
  • Karma: 4
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #5 on: February 09, 2017, 04:19:45 pm »
Just updated to 17.1.1

IPSec (site-to-site) tunnel still connecting (phase 1 & 2) as before.
Tunneled traffic seems to be reaching destination WAN interface, but is being blocked by FW, even though IPSec fw rules are wide open on both sides (any:any).

Tried:
-Disabled 'Private Network Blocks' on WAN interface (both endpoints) as suggested.
-Started traceroute + ping from site-A --> site-B

Quick observations:
On site-B: fw logs now show ipsec traffic blocked on the WAN interface.
So I created a pass rule for the tunneled network (A) --> destination network (B) with protocol:any on the WAN int.

Now no more blocked logs but still no traffic reaching destination host. Hmm.

My 17.1.1 (testing env) OPN config has not changed from my 16.7.14 production env, which still works :)


Hope this helps, and please let me know if you need any more information.
When time allows again, I will try digging into this further.

Thanks.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13694
  • Karma: 1176
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #6 on: February 09, 2017, 08:01:46 pm »
This is something that's causing a headache, we are entirely unsure why the WAN interface receives the incoming IPsec traffic. This does, however, only affect incoming connections not previously tracked. We're looking into it at the moment.

Workaround is disable bogon private block on WAN, adding subnet exceptions for IPsec networks.


Cheers,
Franco
Logged

lordwarlock

  • Newbie
  • *
  • Posts: 11
  • Karma: 0
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #7 on: February 13, 2017, 11:14:21 am »
Updated to 17.1.1 - still not working

Created a Rule IPSEC <net-a> to <net-b> allow, pingtest, nothing happend

created a Rule IPSEC * * allow -> pingtest, worked

Tried a SSH Session, worked for ~10 Seconds, then the session hangs, Firewall Log shows blocks on these sessions.

Reverted to sysctl net.inet.ipsec.filtertunnel=1 - everything works again...strange
Logged

miclan

  • Newbie
  • *
  • Posts: 27
  • Karma: 1
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #8 on: February 15, 2017, 10:43:22 am »
Same problem here.
Did someone find a solution?

My situation is:
VPN site A (main) 17.1.1
VPN site B (remote office 1) 17.1.1
VPN site C (remote office 2) 16.7.14

From A to B connection is OK, but no traffic on LAN
From A to C connection and lan traffica OK
Logged

Andreas

  • Sr. Member
  • ****
  • Posts: 272
  • Karma: 9
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #9 on: February 15, 2017, 11:35:42 am »
Reference to

https://forum.opnsense.org/index.php?topic=4385
Logged

guest15510

  • Guest
Re: IPSEC fw rules don't trigger
« Reply #10 on: March 21, 2017, 10:36:36 pm »
Hello!

I have/had the same issues. All the hint's were not working after i did the following:
Used a Backup-Config, rewrote the IPSEC-firewall part to the following:
"IPv4*     *    *    LAN net    *    * "

saved the XML und uploaded the config (Firewall-Rules only!) - Everything is working now.
After several tests i can say it could be something with the "rule-creation".
Via GUI it's not working for me.

Current Version:
OPNsense 17.1.3-amd64
FreeBSD 11.0-RELEASE-p8
LibreSSL 2.4.5

Just my 2 cents.... Cost me at least 13 hours  :o
Logged

amp

  • Newbie
  • *
  • Posts: 10
  • Karma: 1
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #11 on: March 23, 2017, 09:54:39 am »
Hi all, i would like to say hello this is my first post on the forum, i am a new opnsense user on a deciso appliance.

i am also having similar issues that VPN traffic is blocked by the firewall despite rules set.

@ SystemSh0cker, Can you elaborate on your solution a bit more? I think i don't understand yet completely how you have done it.
Did you backup the complete config, then deleted all firewall rules beside the one:

"IPv4*     *    *    LAN net    *    * "

and then restored only the firewall rules from the backup again?

Thanks for clarifying.
Logged

markus.mantlik

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #12 on: July 03, 2017, 04:33:22 pm »
Hello,

this is also my first post on this forum. We are testing the opnsense appliance and most looks good so far. Beside one problem with IPSEC. Which makes it impossible for us to switch over to opnsense.

As already posted here before IPSEC traffic only works with a ANY <-> ANY firewall rule enabled.
There are a lot of posts here about this problem, but no real solution. We do need firewall rules on IPSEC tunnels.

Does anyone still work on this problem? If yes, is there already a timeline known when an update will be available?

Regards,
Markus

Logged

liberomic

  • Newbie
  • *
  • Posts: 24
  • Karma: 0
    • View Profile
Re: IPSEC fw rules don't trigger
« Reply #13 on: July 04, 2017, 11:58:43 am »
Hi all,

I have the same problem from many days but this big issue is not considered highest from support.

in this post you can find my workaround
https://forum.opnsense.org/index.php?topic=4385.0

See you ;)
Liberomic
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.1 Legacy Series »
  • IPSEC fw rules don't trigger
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2