Routed IPSec between pfSense/OpnSense problem

Lex · April 5, 2022, 10:10am

I am trying to setup a site-to-site VPN between Vyos 1.3.0 and pfSense/OpnSense.

The problem is the tunnel comes up but I cannot have traffic from the pfSense/OpnSense site to the Vyos site until I first send a ping from the Vyos site to the pfSense/OpnSense site.

Both sites are on public IP addresses, no NAT inbetween. I have tried different combination of the connection-type parameter respond/initiate but nothing worked.

OpnSense is based on freebsd 13.0 and pfSense on FreeBsd 12.3. Both behave similair.

Any idear how to troubleshoot this?

thomasjsn · April 5, 2022, 10:43am

Sounds like it may be related to missing an entry in the ARP table.

The reason the first ping usually fails is that the remote router in that LAN has to put the ping request on hold to send out an ARP broadcast to learn the MAC address of the remote device, then wait for a response, and then send the first ping through. This delay is usually too long. That’s why the initial ping request from your PC times out and declares that the ping failed.
Why Does the First Ping Usually Fail

You can check the ARP table and see if the remote router is missing, but appears after a ping series or other traffic.

Lex · April 5, 2022, 11:07am

Problem is all pings fail from the side behind pfSense/OpnSense even if tunnel is up, until I perform a ping from the other side behind Vyos.
Also ping from A to tunnel address on B fails, until I ping the tunnel address of A from B. After that al is OK

Because traffic is normally only initiated from A, the traffic will never pass the tunnel to B.

zsdc · April 5, 2022, 11:11am

@Lex Do you have any firewall rules with state-related conditions inside?

Lex · April 5, 2022, 11:29am

set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 40 action 'accept'
set firewall name OUTSIDE-LOCAL rule 40 ipsec match-ipsec
set firewall name OUTSIDE-LOCAL rule 40 protocol 'esp'
set firewall name OUTSIDE-LOCAL rule 41 action 'accept'
set firewall name OUTSIDE-LOCAL rule 41 destination port '500'
set firewall name OUTSIDE-LOCAL rule 41 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 42 action 'accept'
set firewall name OUTSIDE-LOCAL rule 42 destination port '4500'
set firewall name OUTSIDE-LOCAL rule 42 protocol 'udp'
set firewall name OUTSIDE-LOCAL rule 43 action 'accept'
set firewall name OUTSIDE-LOCAL rule 43 destination port '1701'
set firewall name OUTSIDE-LOCAL rule 43 ipsec match-ipsec
set firewall name OUTSIDE-LOCAL rule 43 protocol 'udp'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address 'X.Y.Z.34/26'
set interfaces ethernet eth0 description 'OUTSIDE'
set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
set interfaces ethernet eth0 hw-id '00:15:5d:06:1d:34'
set interfaces ethernet eth1 address '192.168.112.1/24'
set interfaces ethernet eth1 description 'INSIDE'
set interfaces ethernet eth1 hw-id '00:15:5d:06:1d:35'
set interfaces loopback lo
set interfaces vti vti10 address '10.0.0.3/31'
set nat source rule 100 outbound-interface 'eth0'
set nat source rule 100 source address '192.168.112.0/24'
set nat source rule 100 translation address 'masquerade'
set protocols static route 0.0.0.0/0 next-hop X.Y.Z.1
set protocols static route 192.168.6.0/24 next-hop 10.0.0.2

Lex · April 5, 2022, 11:55am

Looks indeed a problem with the firewall rules. After disabling the OUTSIDE-LOCAL rules traffic flows in both directions.

Any sugggestion what rule could cause the issue? I got these rules from the various samples.

zsdc · April 5, 2022, 12:02pm

Try:

delete firewall name OUTSIDE-LOCAL rule 40 ipsec

Lex · April 5, 2022, 12:09pm

Thanks, that worked.

16again · April 6, 2022, 9:46am

And to explain why:
match ipsec means: coming from ipsec decryption engine
Which won’t match your ESP traffic, as this is still encrypted.

Lex · April 6, 2022, 6:01pm

OK, clear.
Should I also delete rule 43 ?
Port 1701 seems to be used for L2TP which we don’t use.

16again · April 6, 2022, 9:02pm

Without L2TP, you can get rid of the rule. You can also double check statistics on the rule

system · April 8, 2022, 9:02pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.